在我们的群集上,几乎所有服务都使用以下PSP和ClusterRoleBinding:
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: psp:restricted
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:restricted
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:restricted
rules:
- apiGroups:
- extensions
resourceNames:
- restricted
resources:
- podsecuritypolicies
verbs:
- use
换句话说,限制性PSP不允许任何令人兴奋的事情。这对我们来说很好,并且是一种易于理解且成熟的配置。但是,当使用Airflow GKEPodOperator创建Pod时,会出现以下错误:
Failed create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "e1ab15d888c52b90c2fea73fec3a75cd3d79125f21f7840e2e6ca3c00f3b3b16" network for pod "braintree-to-gcs-11bd354a": NetworkPlugin cni failed to set up pod "braintree-to-gcs-11bd354a_private" network: connection is unauthorized: pods "braintree-to-gcs-11bd354a" is forbidden: unable to validate against any pod security policy: []
除非我非常想念我的猜测,否则我们的Pod规范无法针对该PSP进行验证。但是,我一直坚持为什么会这样-实际上,它与我们在生产中常规运行的同一种容器完全没有任何问题。我唯一的猜测是我们尚未设置容器securityContext(因为Airflow不允许这样做),但我认为Pod可以针对PSP进行验证实际上并不是必需的。由Airflow创建的Pod规范如下:
apiVersion: v1
kind: Pod
metadata:
annotations:
# note that the pod is attempting to validate against a different PSP (but still failing)
kubernetes.io/psp: dynatrace-oneagent
name: braintree-to-gcs-11bd354a
namespace: private
spec:
affinity: {}
containers:
- args:
- "2011-02-19T00:00:00+00:00"
env:
REDACTED
image: gcr.io/prod-233014/c-braintree-etl:6ac00fdba4cf75ac3b13002d5d343f5427bbd44b
imagePullPolicy: IfNotPresent
name: base
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-pqmf6
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: gcr-json-key
nodeName: gke-main-cluster-preemptible-nodes-1-e414988e-dn0d
priority: 0
restartPolicy: Never
schedulerName: default-scheduler
securityContext:
runAsUser: 65532
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-pqmf6
secret:
defaultMode: 420
secretName: default-token-pqmf6