K8s

Kubernetes-pod安全策略安全配置

2022-08-04  本文已影响0人  Chris0Yang

PODSECURITYPOLICY

Pod 安全策略 是集群级别的资源,它能够控制 Pod 运行的行为,以及它具有访问什么的能力。 PodSecurityPolicy对象定义了一组条件,指示 Pod 必须按系统所能接受的顺序运行

允许的控制

image.png

开启PodSecurityPolicy:

配置apiserver增加admission plugin PodSecurityPolicy即可

- --enable-admission-plugins=NodeRestriction,PodSecurityPolicy

# 可以添加以下其它的参数
NamespaceLifecycle
LimitRanger
ServiceAccount
DefaultStorageClass
DefaultTolerationSeconds
MutatingAdmissionWebhook
ValidatingAdmissionWebhook
ResourceQuota
PodSecurityPolicy
NodeRestriction

PRIVILEGED

[root@master01 privileged]# cat ./*
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

RunAsUser

[root@master01 runAsUser]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: runasuser
spec:
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: runasuser
spec:
  runAsUser:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: runasuser
spec:
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'

SELinux

[root@master01 selinux]# cat ./*
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  securityContext:
    seLinuxOptions:
      level: "s0:c123,c456"
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: selinux
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'MustRunAs'
    seLinuxOptions:
      level: "s0:c2,c3"
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 0
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 0
        max: 65535
  readOnlyRootFilesystem: false

supplementalGroups

[root@master01 supplementalGroups]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: supplementalgroups
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 10
        max: 65535
  fsGroup:
    rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: supplementalgroups
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

FSGroup

[root@master01 fsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: fsgroups
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 10
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 20
      max:65535
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: fsgroups
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

RUNASGROUP

[root@master01 runAsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: runasgroup
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 10
        max: 65535
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: runasgroup
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'

HOSTPORTS

[root@master01 HostPorts]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: hostports
spec:
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  hostPorts:
  - min: 65532
    max: 65535
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
      hostPort: 8080

ALLOWEDHOSTPATHS

[root@master01 allowedHostPaths]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allowedhostpaths
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  allowedHostPaths:
  - pathPrefix: "/foo"
    readOnly: true
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: html
  volumes:
  - name: html
    hostPath:
      path: /data
      type: DirectoryOrCreate

HOSTIPC

[root@master01 hostIPC]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: hostipc
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  hostIPC: false
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  hostIPC: true
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: html
  volumes:
  - name: html
    hostPath:
      path: /data
      type: DirectoryOrCreate   

HOSTPID

[root@master01 hostPID]#  cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: hostpid
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  hostPID: false
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  hostPID: true
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

HOSTNETWORK

[root@master01 hostNetwork]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: hostnetwork
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  hostNetwork: false
  hostPorts:
  - min: 0
    max: 65536
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  hostNetwork: true
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

ALLOWPRIVILEGEESCALATION

[root@master01 allowPrivilegeEscalation]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allowprivilegeescalation
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

REQUIREDDROPCAPABILITIES

[root@master01 requiredDropCapabilities]# cat ./*
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: requireddropcapabilities
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  requiredDropCapabilities:
  - CHOWN 

ALLOWEDCAPABILITIES

[root@master01 allowedCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: requireddropcapabilities
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  allowedCapabilities:
  - NET_ADMIN
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-6
spec:
  securityContext:
    runAsNonRoot: true
  containers:
  - name: sec-ctx-4
    image: busybox
    args:
    - "sh"
    - "-c"
    - "sleep 36000"
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

DEFAULTADDCAPABILITIES

[root@master01 defaultAddCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: requireddropcapabilities
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  defaultAddCapabilities:
  - NET_ADMIN
  - SYS_TIME
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-6
spec:
  securityContext:
    runAsNonRoot: true
  containers:
  - name: sec-ctx-4
    image: busybox
    args:
    - "sh"
    - "-c"
    - "sleep 36000"
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

READONLYROOTFILESYSTEM

[root@master01 readOnlyRootFilesystem]# cat ./*
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: readonlyrootfilesystem
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: true

ALLOWEDUNSAFESYSCTLS

[root@master01 allowedUnsafeSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allowedunsafesysctls
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  allowedUnsafeSysctls:
  - net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-10
spec:
  securityContext:
    sysctls:
    - name: net.ipv4.ip_forward
      value: "1"
  containers:
  - name: sec-ctx-4
    image: busybox
    args:
    - "sh"
    - "-c"
    - "sleep 36000"  

FORBIDDENSYSCTLS

[root@master01 forbiddenSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: forbiddensysctls
spec:
  volumes:
    - '*'
  runAsUser:
    rule: 'RunAsAny'
  runAsGroup:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  forbiddenSysctls:
  - net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-10
spec:
  securityContext:
    sysctls:
    - name: net.ipv4.ip_forward
      value: "1"
  containers:
  - name: sec-ctx-4
    image: busybox
    args:
    - "sh"
    - "-c"
    - "sleep 36000"  
上一篇下一篇

猜你喜欢

热点阅读