堆栈内存溢出
  简体   繁体   English

Kubernetes Pod安全策略

[英]Kubernetes Pod Security Policies

 原文  2019-07-17 18:15:45       kubernetes/ kubernetes-psp

问题描述

Pod security policy control is implemented as an optional (but recommended) admission controller. Pod安全策略控制被实现为可选的(但推荐)准入控制器。 PodSecurityPolicies are enforced by enabling the admission controller, but doing so without authorizing any policies will prevent any pods from being created in the cluster. 通过启用准入控制器来强制执行PodSecurityPolicies,但是在未授权任何策略的情况下这样做将阻止在集群中创建任何Pod。

Since the pod security policy API (policy/v1beta1/podsecuritypolicy) is enabled independently of the admission controller, for existing clusters it is recommended that policies are added and authorized before enabling the admission controller. 由于Pod安全策略API(policy / v1beta1 / podsecuritypolicy)是独立于准入控制器启用的,因此,对于现有集群,建议在启用准入控制器之前添加和授权策略。

Question: 题:

I need to create a cluster , and then later define a pod security policy to restrict an account/credential to run pods in restricted manner. 我需要创建一个cluster,然后再定义一个pod安全策略,以限制一个帐户/凭据以受限制的方式运行pod。

Does this will apply to that particular account or all the pods in the cluster? 这是否适用于该特定帐户或群集中的所有Pod? I prefer to keep the default admin account unrestricted while allow only a fix uid/gid for that particular user account to run pods. 我更喜欢保持默认的管理员帐户不受限制,同时只允许该特定用户帐户的修订uid / gid运行Pod。

I just doubt that if I restrict the pods to runAs only a fix uid/gid , it may break things in the cluster? 我只是怀疑是否将Pod限制为只作为一个修正uid / gid运行,它可能会破坏集群中的内容?

How to apply a pod security policy to all the users/service accounts in all the namespaces ( existing and new ) , except cluster admin 如何将Pod安全策略应用于所有名称空间(现有名称和新名称)中的所有用户/服务帐户,群集管理员除外

1 个解决方案

解决方案1
 1  2019-07-17 21:19:39

Following this post: 在这篇文章之后:

https://medium.com/coryodaniel/kubernetes-assigning-pod-security-policies-with-rbac-2ad2e847c754 https://medium.com/coryodaniel/kubernetes-assigning-pod-security-policies-with-rbac-2ad2e847c754

Turns out that I can create two PSPs: 事实证明,我可以创建两个PSP:

  1. Privileged 特权

  2. Restricted 受限

Admin has access to both of them by default , but they are assigned alphabetically so I can name them like: 管理员默认可以访问它们,但是它们是按字母顺序分配的,因此我可以将它们命名为:

01-Privileged 01特权

and

100-Restricted 100-限制

So for Admin , the effective one will be the first one. 因此,对于Admin来说,有效的将是第一个。

For normal users , I will just assign the restricted one through clusterRole and Rolebinding for all authenticated users. 对于普通用户,我将通过clusterRole和Rolebinding为所有经过身份验证的用户分配受限的一个。

But it turns out that applying PSP to user accounts works for creating simple pods , but if they try to create replicasets as part of deployments , it won't work , and we need to assign the policy to pod service accounts as well. 但是事实证明,将PSP应用于用户帐户可以创建简单的pod,但是,如果他们尝试在部署中创建副本集,则将无法正常工作,我们还需要将策略分配给pod服务帐户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Kubernetes pod 安全策略 uid/gid 范围 - Kubernetes pod security policies uid/gid ranges 如何在不使用网络策略的情况下阻止流向 Kubernetes pod 的流量 - How to block traffic to a Kubernetes pod without using network policies 如何使用扩展/缩减策略实现 Kubernetes 水平 pod 自动扩展? - How to implement Kubernetes horizontal pod autoscaling with scale up/down policies? Kube.netes 网络政策。 无法“wget”到在不同名称空间上运行的 pod? - Kubernetes NetWork Policies. unable to 'wget' on to pod running on different namespace? Istio Init 容器不适用于 Pod 安全策略 - Istio Init Containers do not work with Pod Security Policies Kubernetes Pod安全策略默认特权值 - Kubernetes Pod Security Policy Default Privileged Value 使用 Azure CNI 网络策略,仅允许从 Kube.netes pod 出口到特定的 FQDN/DNS - Allow egress from a Kubernetes pod to only specific FQDN/DNS with Azure CNI Network Policies 当 kubernetes 中存在 pod 安全策略时,如何部署 statefulset - how to deploy a statefulset when a pod security policy is in place in kubernetes 如何检查 Kubernetes 中的 PSP(pod 安全策略)规范 - How to check PSP(pod security policy) spec in Kubernetes Kubernetes Pod 到 Pod 通信 - Kubernetes Pod to Pod communication
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM