我已经在本地minikube中成功实现了PodSecurityPolicies(PSP),并且在将其移植到GKE时遇到了麻烦。我现在的目标很简单-> 不允许包含UID 0或特权访问的Pod。
我的PSP很简单:
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: default-psp
spec:
privileged: false
runAsUser:
rule: MustRunAsNonRoot
Ive设置了RBAC ClusterRoleBinding,允许所有服务帐户使用PSP。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restrict-root-clusterRole
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restrict-root-clusterRoleBinding
roleRef:
kind: ClusterRole
name: restrict-root-clusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts
现在我可以使用gcloud beta container clusters update psp-demo --enable-pod-security-policy在GKE中启用PSP
然后我注意到GKE创建了以下PSP
$ k get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
gce.event-exporter false RunAsAny RunAsAny RunAsAny RunAsAny false hostPath,secret
gce.fluentd-gcp false RunAsAny RunAsAny RunAsAny RunAsAny false configMap,hostPath,secret
gce.persistent-volume-binder false RunAsAny RunAsAny RunAsAny RunAsAny false nfs,secret
gce.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
gce.unprivileged-addon false RunAsAny RunAsAny RunAsAny RunAsAny false emptyDir,configMap,secret
然后我创建我的PSP和RBAC规则。
k get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
default-psp false RunAsAny MustRunAsNonRoot RunAsAny RunAsAny false *
gce.event-exporter false RunAsAny RunAsAny RunAsAny RunAsAny false hostPath,secret
gce.fluentd-gcp false RunAsAny RunAsAny RunAsAny RunAsAny false configMap,hostPath,secret
gce.persistent-volume-binder false RunAsAny RunAsAny RunAsAny RunAsAny false nfs,secret
gce.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
gce.unprivileged-addon false RunAsAny RunAsAny RunAsAny RunAsAny false emptyDir,configMap,secret
然后我启动一个根用户吊舱
apiVersion: v1
kind: Pod
metadata:
name: root-user-pod
spec:
containers:
- name: root-user-pod
image: nginx
ports:
- containerPort: 80
它进入运行状态并查看注释,我看到了:
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/limit-ranger: 'LimitRanger plugin set: cpu request for container
root-user-pod'
kubernetes.io/psp: gce.privileged
很明显,我的默认PSP没有使用。
我尝试编辑gce.privileged PSP,但是GKE自动将其恢复为默认的privileged状态。
然后,我要做的是在特定名称空间中将Pod创建为特定ServiceAccouunt。我的新RBAC规则是:
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-user
namespace: test
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: test
name: test-psp-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-psp-roleBinding
namespace: test
subjects:
- kind: ServiceAccount
name: test-user
namespace: test
roleRef:
kind: Role
name: test-psp-role
apiGroup: rbac.authorization.k8s.io
然后我将serviceAccountName: test-user添加到Pod清单中,然后将pod部署到test命名空间中,它也将进入运行状态。
k get po -n test
NAME READY STATUS RESTARTS AGE
root-user-pod 1/1 Running 0 7s
带有注释:
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: gce.privileged
creationTimestamp: "2019-03-12T15:48:11Z"
name: root-user-pod
namespace: test
所以我不确定下一步该怎么做。我该如何超越GKE创建的默认PSP?