如何禁用exec shell(shell / bash提示符),以使没有用户能够以root用户身份进入正在运行的容器?
答案 0 :(得分:0)
您应该使用RBAC授权。
创建一个角色而不授予对“ pod / exec”子资源的访问权限。即
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
因此,所有绑定到该角色的用户/服务帐户将无法进入特定名称空间内的Pod。
答案 1 :(得分:0)
如果要在生产环境中运行编织范围,则可能需要限制两个主要方面:
1。 K8的工作节点外壳程序访问和Pods外壳程序访问
要禁用控件,编织范围提供了开箱即用的解决方案,您需要将探针"--probe.no-controls=true"作为启动参数传递给您的 weave-scope-agent 。
最终文件如下所示:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: weave-scope-agent
labels:
name: weave-scope-agent
app: weave-scope
weave-cloud-component: scope
weave-scope-component: agent
namespace: weave
spec:
minReadySeconds: 5
selector:
matchLabels:
app: weave-scope
template:
metadata:
labels:
name: weave-scope-agent
app: weave-scope
weave-cloud-component: scope
weave-scope-component: agent
spec:
containers:
- name: scope-agent
args:
- '--probe.no-controls=true'
- '--weave=false'
- '--mode=probe'
- '--probe-only'
- '--probe.kubernetes.role=host'
- '--probe.docker.bridge=docker0'
- '--probe.docker=true'
- 'weave-scope-app.weave.svc.cluster.local.:80'
image: weaveworks/scope:1.11.2
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
privileged: true
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
- name: scope-plugins
mountPath: /var/run/scope/plugins
- name: sys-kernel-debug
mountPath: /sys/kernel/debug
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
operator: Exists
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
- name: scope-plugins
hostPath:
path: /var/run/scope/plugins
- name: sys-kernel-debug
hostPath:
path: /sys/kernel/debug
updateStrategy:
rollingUpdate:
maxUnavailable: 1
请注意,我正在使用-weave = false 标志,因为我没有在K8s集群中将weave用作CNI,如果您使用的是wei CNI,请不要通过此标志,否则可能会导致其他明智的行为观察。
2。窗格删除访问权限
要禁止编织用户删除吊舱,您需要使用一些RBAC规则。在RBAC中允许 pod 和 pod / logs ,并禁用 delete 动词。这样做,用户将能够看到窗格和窗格日志,但是他们将能够删除窗格。
最终RBAC文件将如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
name: weave-scope
name: weave-scope
namespace: weave
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- replicationcontrollers
- services
- nodes
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
#- apiGroups:
# - ""
# resources:
# - pods
# verbs:
# - delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- deployments/scale
verbs:
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- extensions
resourceNames:
- weave-scope
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- volumesnapshot.external-storage.k8s.io
resources:
- volumesnapshots
- volumesnapshotdatas
verbs:
- list
- watch