0
点赞
收藏
分享

微信扫一扫

k8s资源之podSecurityPolicy


 欢迎关注我的公众号:

k8s资源之podSecurityPolicy_nginx

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

​​istio多集群探秘,部署了50次多集群后我得出的结论​​

​​istio多集群链路追踪,附实操视频​​

​​istio防故障利器,你知道几个,istio新手不要读,太难!​​

​​istio业务权限控制,原来可以这么玩​​

​​istio实现非侵入压缩,微服务之间如何实现压缩​​

​​不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限​​

​​不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs​​

​​不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了​​

​​不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization​​

​​不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs​​

​​不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs​​

​​不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr​​

​​不懂envoyfilter也敢说精通istio系列-08-连接池和断路器​​

​​不懂envoyfilter也敢说精通istio系列-09-http-route filter​​

​​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​​

​​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​​

​​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​​

 

————————————————

PodSecurityPolicy:

•Pod 安全策略 是集群级别的资源,它能够控制 Pod 运行的行为,以及它具有访问什么的能力。 PodSecurityPolicy对象定义了一组条件,指示 Pod 必须按系统所能接受的顺序运行

允许的控制:

k8s资源之podSecurityPolicy_html_02

开启PodSecurityPolicy:

•配置apiserver增加admission plugin PodSecurityPolicy即可。

•--enable-admission-plugins=NodeRestriction,PodSecurityPolicy

privileged:

[root@master01 privileged]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'

RunAsUser:

[root@master01 runAsUser]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'

SELinux:

[root@master01 selinux]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: selinux
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'MustRunAs'
seLinuxOptions:
level: "s0:c2,c3"
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 0
max: 65535
readOnlyRootFilesystem: false

supplementalGroups:

[root@master01 supplementalGroups]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: supplementalgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
fsGroup:
rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: supplementalgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'

FSGroup:

[root@master01 fsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: fsgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 20
max:65535
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: fsgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'

runAsGroup:

[root@master01 runAsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasgroup
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasgroup
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'

HostPorts:

[root@master01 HostPorts]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostports
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostPorts:
- min: 65532
max: 65535
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
hostPort: 8080

AllowedHostPaths:

[root@master01 allowedHostPaths]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedhostpaths
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: true
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: html
volumes:
- name: html
hostPath:
path: /data
type: DirectoryOrCreate

hostIPC:

[root@master01 hostIPC]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostipc
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostIPC: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostIPC: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: html
volumes:
- name: html
hostPath:
path: /data
type: DirectoryOrCreate

hostPID:

[root@master01 hostPID]#  cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostpid
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostPID: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostPID: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80

hostNetwork:

[root@master01 hostNetwork]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostnetwork
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostNetwork: false
hostPorts:
- min: 0
max: 65536
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostNetwork: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80

allowPrivilegeEscalation:

[root@master01 allowPrivilegeEscalation]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowprivilegeescalation
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true

requiredDropCapabilities:

[root@master01 requiredDropCapabilities]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
requiredDropCapabilities:
- CHOWN

allowedCapabilities:

[root@master01 allowedCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedCapabilities:
- NET_ADMIN
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]

defaultAddCapabilities:

[root@master01 defaultAddCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
defaultAddCapabilities:
- NET_ADMIN
- SYS_TIME
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]

readOnlyRootFilesystem:

[root@master01 readOnlyRootFilesystem]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: readonlyrootfilesystem
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: true

allowedUnsafeSysctls:

[root@master01 allowedUnsafeSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedunsafesysctls
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedUnsafeSysctls:
- net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"

forbiddenSysctls:

[root@master01 forbiddenSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: forbiddensysctls
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
forbiddenSysctls:
- net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"

举报

相关推荐

0 条评论