Kubernetes 如何在将API服务器部署为systemd服务的k8s上启用准入控制器插件?
我正在尝试应用podSecurityPolicy,并尝试测试它是否允许我创建特权pod。 下面是podSecurityPolicy资源清单Kubernetes 如何在将API服务器部署为systemd服务的k8s上启用准入控制器插件?,kubernetes,Kubernetes,我正在尝试应用podSecurityPolicy,并尝试测试它是否允许我创建特权pod。 下面是podSecurityPolicy资源清单 kind: PodSecurityPolicy apiVersion: policy/v1beta1 metadata: name: podsecplcy spec: hostIPC: false hostNetwork: false hostPID: false privileged: false readOnlyRootFilesystem:
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: podsecplcy
spec:
hostIPC: false
hostNetwork: false
hostPID: false
privileged: false
readOnlyRootFilesystem: true
hostPorts:
- min: 10000
max: 30000
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
seLinux:
rule: RunAsAny
volumes:
- '*'
apiVersion: v1
kind: Pod
metadata:
name: pod-privileged
spec:
containers:
- name: main
image: alpine
command: ["/bin/sleep", "999999"]
securityContext:
privileged: true
当前psp如下所示
[root@master ~]# kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
podsecplcy false RunAsAny RunAsAny RunAsAny RunAsAny true *
[root@master ~]#
在提交了上面的清单之后,我正试图使用下面的清单创建特权pod
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: podsecplcy
spec:
hostIPC: false
hostNetwork: false
hostPID: false
privileged: false
readOnlyRootFilesystem: true
hostPorts:
- min: 10000
max: 30000
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
seLinux:
rule: RunAsAny
volumes:
- '*'
apiVersion: v1
kind: Pod
metadata:
name: pod-privileged
spec:
containers:
- name: main
image: alpine
command: ["/bin/sleep", "999999"]
securityContext:
privileged: true
pod的创建没有任何问题。我希望它会抛出错误,因为特权pod的创建是通过podSecurityPolicy限制的。
然后我意识到,可能是准入控制器插件未启用,我通过描述kube apiserver pod(为了可读性删除了一些行)看到了哪些准入控制器插件已启用,并且只能看到节点限制已启用
[root@master ~]# kubectl -n kube-system describe po kube-apiserver-master.k8s
--client-ca-file=/etc/kubernetes/pki/ca.crt
--enable-admission-plugins=NodeRestriction
--enable-bootstrap-token-auth=true
**Attempt:**
Tried to edit /etc/systemd/system/multi-user.target.wants/kubelet.service and changed ExecStart=/usr/bin/kubelet --enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
restarted kubelet service.But no luck
Now how to enable other admission controller plugins?
1。找到静态pod清单路径 从systemd状态,您将能够找到kubelet单位文件
systemctl状态kubelet.service
执行cat/etc/systemd/system/kubelet.service
(将路径替换为从上述命令获得的路径)
转到指向--pod manifest path=
2.打开启动kube-apiserver-master.k8s吊舱的yaml
下面是查找YAML的示例步骤
cd /etc/kubernetes/manifests/
grep kube-apiserver-master.k8s *
3.将PodSecurityPolicy
附加到标志——在YAML文件中启用准入插件=
4.为kube系统名称空间创建PSP和相应的绑定
创建一个PSP来授予对kube系统名称空间(包括CNI)中的POD的访问权
kubectl apply -f - <<EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
name: privileged
spec:
allowedCapabilities:
- '*'
allowPrivilegeEscalation: true
fsGroup:
rule: 'RunAsAny'
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- min: 0
max: 65535
privileged: true
readOnlyRootFilesystem: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
volumes:
- '*'
EOF
kubectl apply-f-从systemd status-/usr/lib/systemd/system/kubelet.service.找到了服务文件,但该文件中没有清单路径。我在/etc/kubernetes/manifests.中找到了kube-apiserver.yaml。但是在编辑此文件并在中附加PodSecurityPolicy之后——启用许可插件=。我无法在kubectl get-n kube-system中看到kube-apiserver-master.k8s pod正在运行。在我以相同的先前状态还原文件后,pod启动并处于运行状态。因此,似乎不允许在yaml文件中直接编辑它seems@user10953531,我又更新了一个步骤,该步骤将创建必要的角色和绑定以及PSP,以便在启用PodSecurityPolicy
excellent后启动api pod。现在编辑kube-apiserver.yaml文件有助于启用PSP。但现在我创建了特权为false的PSP,并创建了clusterrole和clusterrolebinding与您从群集rolebinding yaml文件中创建和删除命名空间和组详细信息相同。现在我正在尝试创建特权pod,它允许我创建。但我的期望是,它不允许我在任何命名空间上创建特权pod,因为clusterrolebinding不是命名空间资源(kube系统除外)@user10953531,请创建一个包含所有详细信息的新问题:)当然。我将创建一个新问题,因为podsecuritypolicy不适用于非kube系统命名空间资源。您是否已授权用户或服务帐户使用您的psp?psp资源本身不起任何作用。@Piotr Malec为了测试这一点,我创建了kubectl create ns psptest;kubectl创建sa pspstestsa-n psptest;kubectl create clusterrole非priv角色——动词=list,get,watch——resource=PodSecurityPolicy——resource name=podsecplcy;kubectl create clusterrolebinding psprbtest--clusterrole=非私有角色--serviceaccount=psptest:PSPSPSTESTSA;在pod create yaml中添加了名称空间和sa,并已尝试。仍然成功创建了特权pod。因此,我希望我们需要启用准入插件podSecurityPolicy来解决此问题。您的群集是如何部署的?您使用的K8s版本和基础架构是什么?