我正在使用Google Cloud托管的istio。它现在提供1.0.3,大约一个月后就会有1.1.1。我的问题虽然与版本无关。
在启用了istio的群集中启用了以下PSP:
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
name: restrictive-psp
namespace: ""
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
fsGroup:
rule: RunAsAny
hostPorts:
- max: 8000
min: 0
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- secret
- emptyDir
- nfs
- persistentVolumeClaim
- hostPath
kind: List
metadata:
resourceVersion: ""
selfLink: ""
对应的clusterRole:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restrictive-role
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restrictive-psp
verbs:
- use
clusterRoleBinding:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restrict-rolebind
subjects:
- kind: Group
name: system:serviceaccounts
namespace: kube-system
roleRef:
kind: ClusterRole
name: restrictive-role
apiGroup: rbac.authorization.k8s.io
仍然出现以下错误:
创建错误:禁止对Pod“ encryption-9-87649bf5d-q8dbk”进行加密:无法针对任何Pod安全策略进行验证:
没有小车的豆荚很好。
我在“ https://preliminary.istio.io/help/ops/setup/required-pod-capabilities”处检查了所需的步骤:
[sourabh.w@K9-MAC-035 istio-cni]$ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:r19-3-encryption-qa:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
restrictive-psp [*]
[sourabh.w@K9-MAC-035 istio-cni]$ for psp in $(kubectl get psp -o jsonpath="{range .items[*]}{@.metadata.name}{'\n'}{end}"); do if [ $(kubectl auth can-i use psp/$psp --as=system:serviceaccount:default:default) = yes ]; then kubectl get psp/$psp --no-headers -o=custom-columns=NAME:.metadata.name,CAPS:.spec.allowedCapabilities; fi; done
restrictive-psp [*]
[sourabh.w@K9-MAC-035 istio-cni]$