Openshift - 将RunOnlyAs SCC应用于部署中的pod

时间:2018-02-06 15:35:25

标签: deployment kubernetes openshift

我定义了一个SCC,允许developer用户将容器作为UID 1015运行:

    kind: SecurityContextConstraints
    apiVersion: v1
    metadata:
      name: developer
    allowPrivilegedContainer: false
    runAsUser:
      type: MustRunAs
      uid: 1015
    seLinuxContext: 
      type: MustRunAs
      uid: 1015
    users:
    - developer

当我直接以developer用户创建广告连播时,此SCC正常工作:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1-0
    spec:
      securityContext:
        runAsUser: 1015
      containers:
      - name: test-1-0
        image: test-image:1.0
        imagePullPolicy: "Always"
        volumeMounts:
        - name: secret-dir
          mountPath: "/secrets"
          readOnly: true
      volumes:
      - name: secret-dir
        secret:
          secretName: test-1.0-configs

但是,当我将其转换为部署时,我收到错误。这是我的YAML:

kind: "DeploymentConfig"
apiVersion: "v1"
metadata:
  name: "test-1-0"
spec:
  template: 
    metadata:
      labels:
        name: "test-1-0"
    spec:
      securityContext:
        runAsUser: 1015
      containers:
      - name: test-1-0
        image: test-image:1.0
        imagePullPolicy: "Always"
        volumeMounts:
        - name: secret-dir
          mountPath: "/secrets"
          readOnly: true
      volumes:
      - name: secret-dir
        secret:
          secretName: test-1.0-configs
  replicas: 2
  selector:
    name: "test-1-0"

我收到错误:

Error creating: pods "test-1-0-1-" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 1015: UID on container test-1-0 does not match required range. Found 1015, required min: 1000050000 max: 1000059999]

就像部署正在部署pod而不是我创建部署的用户一样。有什么方法可以解决这个问题吗?

1 个答案:

答案 0 :(得分:1)

最好通过服务帐户指定SCC用于部署的内容。

首先创建SCC。使用我测试过的示例,我创建了包含。{/ p>的uid1000.json 

{
    "apiVersion": "v1",
    "kind": "SecurityContextConstraints",
    "metadata": {
        "name": "uid1000"
    },
    "requiredDropCapabilities": [
        "KILL",
        "MKNOD",
        "SYS_CHROOT",
        "SETUID",
        "SETGID"
    ],
    "runAsUser": {
        "type": "MustRunAs",
        "uid": "1000"
    },
    "seLinuxContext": {
        "type": "MustRunAs"
    },
    "fsGroup": {
        "type": "MustRunAs"
    },
    "supplementalGroups": {
        "type": "RunAsAny"
    },
    "volumes": [
        "configMap",
        "downwardAPI",
        "emptyDir",
        "persistentVolumeClaim",
        "projected",
        "secret"
    ]
}

然后跑了:

oc create -f uid1000.json --as system:admin

需要管理员才能做到这一点。

接下来,我在目标项目中创建了一个服务帐户,仅用于运行需要此SCC的应用程序。

oc create serviceaccount runasuid1000

我现在说任何以此服务帐户运行的内容都应该使用新的SCC。

oc adm policy add-scc-to-user uid1000 -z runasuid1000 --as system:admin

再次需要管理员来做到这一点。 -z选项表示使用当前项目,因此请确保您处于正确的项目中。

最后,我修补了现有的部署配置。

oc patch dc/minimal-notebook --patch '{"spec":{"template":{"spec":{"serviceAccountName": "runasuid1000"}}}}'

如果需要,由于配置更改触发器被禁用,请触发新部署:

oc rollout latest minimal-notebook

这将强制容器以uid 1000的形式运行,覆盖图像甚至根据USER定义应该运行的内容。

相关问题
最新问题