[英]Kubernetes Pod Security Policies
Pod security policy control is implemented as an optional (but recommended) admission controller.
Pod安全策略控制被实现为可选的(但推荐)准入控制器。 PodSecurityPolicies are enforced by enabling the admission controller, but doing so without authorizing any policies will prevent any pods from being created in the cluster.
通过启用准入控制器来强制执行PodSecurityPolicies,但是在未授权任何策略的情况下这样做将阻止在集群中创建任何Pod。
Since the pod security policy API (policy/v1beta1/podsecuritypolicy) is enabled independently of the admission controller, for existing clusters it is recommended that policies are added and authorized before enabling the admission controller.
由于Pod安全策略API(policy / v1beta1 / podsecuritypolicy)是独立于准入控制器启用的,因此,对于现有集群,建议在启用准入控制器之前添加和授权策略。
Question: 题:
I need to create a cluster , and then later define a pod security policy to restrict an account/credential to run pods in restricted manner. 我需要创建一个cluster,然后再定义一个pod安全策略,以限制一个帐户/凭据以受限制的方式运行pod。
Does this will apply to that particular account or all the pods in the cluster? 这是否适用于该特定帐户或群集中的所有Pod? I prefer to keep the default admin account unrestricted while allow only a fix uid/gid for that particular user account to run pods.
我更喜欢保持默认的管理员帐户不受限制,同时只允许该特定用户帐户的修订uid / gid运行Pod。
I just doubt that if I restrict the pods to runAs only a fix uid/gid , it may break things in the cluster? 我只是怀疑是否将Pod限制为只作为一个修正uid / gid运行,它可能会破坏集群中的内容?
How to apply a pod security policy to all the users/service accounts in all the namespaces ( existing and new ) , except cluster admin 如何将Pod安全策略应用于所有名称空间(现有名称和新名称)中的所有用户/服务帐户,群集管理员除外
Following this post: 在这篇文章之后:
https://medium.com/coryodaniel/kubernetes-assigning-pod-security-policies-with-rbac-2ad2e847c754 https://medium.com/coryodaniel/kubernetes-assigning-pod-security-policies-with-rbac-2ad2e847c754
Turns out that I can create two PSPs: 事实证明,我可以创建两个PSP:
Privileged 特权
Restricted 受限
Admin has access to both of them by default , but they are assigned alphabetically so I can name them like: 管理员默认可以访问它们,但是它们是按字母顺序分配的,因此我可以将它们命名为:
01-Privileged 01特权
and 和
100-Restricted 100-限制
So for Admin , the effective one will be the first one. 因此,对于Admin来说,有效的将是第一个。
For normal users , I will just assign the restricted one through clusterRole and Rolebinding for all authenticated users. 对于普通用户,我将通过clusterRole和Rolebinding为所有经过身份验证的用户分配受限的一个。
But it turns out that applying PSP to user accounts works for creating simple pods , but if they try to create replicasets as part of deployments , it won't work , and we need to assign the policy to pod service accounts as well. 但是事实证明,将PSP应用于用户帐户可以创建简单的pod,但是,如果他们尝试在部署中创建副本集,则将无法正常工作,我们还需要将策略分配给pod服务帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.