当 kubernetes 中存在 pod 安全策略时,如何部署 statefulset
[英]how to deploy a statefulset when a pod security policy is in place in kubernetes
问题描述
I am trying to play around with PodSecurityPolicies in kubernetes so pods can't be created if they are using the root user.
我正在尝试使用 kubernetes 中的 PodSecurityPolicies,因此如果使用 root 用户,则无法创建 Pod。 This is my psp definition:这是我的psp定义:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: eks.restrictive
spec:
hostNetwork: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: MustRunAsNonRoot
fsGroup:
rule: RunAsAny
volumes:
- '*'
and this is my statefulset definition这是我的 statefulset 定义
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
selector:
matchLabels:
app: nginx # has to match .spec.template.metadata.labels
serviceName: "nginx"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginx # has to match .spec.selector.matchLabels
spec:
securityContext:
#only takes integers.
runAsUser: 1000
terminationGracePeriodSeconds: 10
containers:
- name: nginx
image: k8s.gcr.io/nginx-slim:0.8
ports:
- containerPort: 80
name: web
volumeMounts:
- name: www
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "my-storage-class"
resources:
requests:
storage: 1Gi
When trying to create this statefulset I get尝试创建此 statefulset 时,我得到
create Pod web-0 in StatefulSet web failed error: pods "web-0" is forbidden: unable to validate against any pod security policy:
It doesn't specify what policy am I violating, and since I am specifying I want to run this on user 1000, I am not running this as root (Hence my understanding is that this statefulset pod definition is not violating any rules defined in the PSP).它没有指定我违反了什么策略,并且由于我指定我想在用户 1000 上运行它,所以我没有以 root 身份运行它(因此我的理解是这个 statefulset pod 定义没有违反在PSP)。 There is no USER specified in the Dockerfile used for this image.用于此图像的 Dockerfile 中没有指定 USER。
The other weird part, is that this works fine for standard pods (kind: Pod, instead of kind:Statefulset), for example, this works just fine, when the same PSP exists:另一个奇怪的部分是,这适用于标准 pod(种类:Pod,而不是 kind:Statefulset),例如,当存在相同的 PSP 时,它工作得很好:
apiVersion: v1
kind: Pod
metadata:
name: my-nodejs
spec:
securityContext:
runAsUser: 1000
containers:
- name: my-node
image: node
ports:
- name: web
containerPort: 80
protocol: TCP
command:
- /bin/sh
- -c
- |
npm install http-server-g
npx http-server
What am I missing / doing wrong?我错过了什么/做错了什么?
1 个解决方案
解决方案1
0 2020-08-13 12:00:42
You seems to have forgotten about binding this psp to a service account.您似乎忘记了将此 psp 绑定到服务帐户。
You need to apply the following:您需要应用以下内容:
cat << EOF | kubectl apply -f-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- eks.restrictive
EOF
cat << EOF | kubectl apply -f-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: psp-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp-role
subjects:
- kind: ServiceAccount
name: default
namespace: default
EOF
If you dont want to use the default account you can create a separate service account and bind the role to it.如果您不想使用默认帐户,您可以创建一个单独的服务帐户并将角色绑定到它。
Read more about it k8s documentation - pod-security-policy .阅读更多关于它的 k8s 文档 - pod-security-policy 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.