Kubernetes保证集群内节点和网络安全

• 容器中指定固定的用户:spec.containers.securityContext.runAsUser: uid
• 容器内不允许root用户：spec.container.securityContext.runAsNonRoot:true
• 使用特权模式运行容器：spec.containers.securityContext.privileged:true
• 为容器添加固定的内核功能：spec.containers.securityContext.capabilities.add:ADD_TIME(修改系统时间)
• 在容器中禁用内核：spec.containers.securityContext.capabilities.drop:ADD_TIME
• 阻止对容器根目录的写入：spec.containers.securityContext.readOnlyRootFilesystem:true

容器中的上下文限制，在pod仍然适用

• 不同用户共享存储卷：spec.securityContext.fsGroup和spec.securityContext.supplementalGroups

RBAC与PodSecurityPolicy结合

定义PodSecurityPolicy

• default

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
  namespace: default
spec:
  hostIPC: false
  hostPID: false
  hostNetwork: false
  hostPorts:
  - min: 10000
    max: 11000
  - min: 13000
    max: 14000
  privileged: true
  readOnlyRootFilesystem: false
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  volumes:
  - '*'

• privileged

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  namespace: default
spec:
  hostIPC: false
  hostPID: false
  hostNetwork: false
  hostPorts:
  - min: 10000
    max: 11000
  - min: 13000
    max: 14000
  privileged: true
  readOnlyRootFilesystem: false
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  volumes:
  - '*'

定义clusterRole

kubectl create clusterrole psp-default --verb=use --resources=podsecuritypolicy --resource-name=default

kubectl create clusterrole psp-privileged --verb=use --resources=podsecuritypolicy --resource-name=privileged

定义clusterrolebinding

kubectl create clusterrolebinding --clusterrole=psp-default --Groups=system:authenticated

kubectl create clusterrolebinding --clusterrole=psp-privileged --user=admin

适用admin1创建privileged=true的Pod

kubectl  create -f centos_1.yaml 
Error from server (Forbidden): error when creating "centos_1.yaml": pods "centos5" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]