当Kubernetes中有Pod安全策略时,如何部署状态集

时间:2020-08-12 16:46:37

标签: kubernetes

我正在尝试在kubernetes中使用PodSecurityPolicies,因此如果pod使用的是root用户,则无法创建pod。 这是我的PSP定义:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: eks.restrictive
spec:
  hostNetwork: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

这是我的状态集定义

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 3 # by default is 1
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      securityContext:
        #only takes integers. 
        runAsUser: 1000
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "my-storage-class"
      resources:
        requests:
          storage: 1Gi

尝试创建此有状态集时,我得到

create Pod web-0 in StatefulSet web failed error: pods "web-0" is forbidden: unable to validate against any pod security policy:

它没有指定我违反的策略,并且由于我指定要在用户1000上运行,因此我没有以root用户身份运行(因此,我的理解是,此statefulset pod定义未违反任何规则在PSP中定义)。用于该映像的Dockerfile中没有指定USER。

另一个奇怪的部分是,这对于标准Pod(种类:Pod,而不是kind:Statefulset)有效,例如,当存在相同的PSP时,这种方法就很好:

apiVersion: v1
kind: Pod
metadata:
  name: my-nodejs
spec:
  securityContext:
    runAsUser: 1000
  containers:
    - name: my-node
      image: node
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
      command:
      - /bin/sh
      - -c
      - |
          npm install http-server-g
          npx http-server

我想念什么/做错了什么?

1 个答案:

答案 0 :(得分:0)

您似乎忘记了将此PSP绑定到服务帐户。

您需要应用以下内容:

cat << EOF | kubectl apply -f-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp-role
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - eks.restrictive
EOF

cat << EOF | kubectl apply -f-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: psp-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
EOF

如果您不想使用默认帐户,则可以创建一个单独的服务帐户并将该角色绑定到该帐户。

详细了解k8s documentation - pod-security-policy

相关问题
最新问题