pod 安全配置策略

PodSecurityPolicy(下文简称PSP)

PSP 是用于对POD 做细粒度权限控制的K8S资源.

PSP 启用机制, 在KUBE-APISERVER 启动参数中进行设置

--enable-adminssion-plugins=PodSecurityPolicy

PSP 激活之后,K8S默认不允许创建任何POD,需要创建PSP和相应RBAC授权策略,才能创建.

样例

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # 不允许特权pod.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

创建policy 之后有, K8S 不会发生变化,直到明确被绑定到某个role 为止

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: policyrole
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - example

再将role绑定到user 或者service account 进行使用

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: policyrolebinding
roleRef:
  kind: ClusterRole
  name: policyrole
  apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
  name: <authorized service account name>
  namespace: <authorized pod namespace>
# Authorize specific users (not recommended):
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: <authorized user name>

详细说明文档

如果文章对您有帮助,请点一下下面的 "喜欢"