k8s PodSecurityPolicy。删除除一项以外的所有功能

时间:2019-01-14 14:18:49

标签: kubernetes

我想构建一个Pod安全策略,在其中删除所有功能,然后仅启用CHOWN。

问题在于,似乎“ requiredDropCapabilities:ALL”是主要规则,如果将其配置为ALL,则无法添加具有AllowedCapabilities或DefaultAddCapabilities的单个功能。

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

  

RequiredDropCapabilities-必须从中删除的功能   容器。这些功能已从默认设置中删除,并且   不得添加。 RequiredDropCapabilities中列出的功能   不得包含在AllowedCapabilities或DefaultAddCapabilities

除一个功能外,我怎么能拒绝其他功能?

-编辑

这是我的示例:

PodSecurityPolicy:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: a-pot-root
spec:
  allowPrivilegeEscalation: false
  forbiddenSysctls:
  - '*'
  allowedCapabilities:
  - CHOWN
  requiredDropCapabilities:
  - ALL
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

然后在容器内没有CHOWN功能:

root@hellonode-6d654c57b8-b8hz8:/app# capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=1(daemon)

谢谢。

1 个答案:

答案 0 :(得分:0)

我所做的是注释“-ALL”,添加默认情况下as documented here允许的所有“功能选项”,并注释我不需要的功能。

注意:我以为我只需要CHOWN,但最终需要更多。 

  requiredDropCapabilities:
    # - ALL               # Drop all the usual capabilities
    - SETPCAP               # Modify process capabilities.
    - MKNOD               # Create special files using mknod(2).
    - AUDIT_WRITE           # Write records to kernel auditing log.
    # - CHOWN               # Make arbitrary changes to file UIDs and GIDs (see chown(2)).
    - NET_RAW               # Use RAW and PACKET sockets.
    # - DAC_OVERRIDE        # Bypass file read, write, and execute permission checks.
    # - FOWNER            # Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
    - FSETID                # Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
    - KILL                # Bypass permission checks for sending signals.
    # - SETGID            # Make arbitrary manipulations of process GIDs and supplementary GID list.
    # - SETUID            # Make arbitrary manipulations of process UIDs.
    - NET_BIND_SERVICE    # Bind a socket to internet domain privileged ports (port numbers less than 1024).
    - SYS_CHROOT            # Use chroot(2), change root directory.
    - SETFCAP               # Set file capabilities

希望有帮助。我一直在寻找答案,但首先找到了您的问题:)

相关问题
最新问题