PodSecurityPolicy我正在尝试在裸机 Kubernetes 1.18.3 集群上开始使用 Keycloak 提供的用户管理。psp/restricted应该在 中申请namespace/restricted(针对特定用户user和命名空间的serviceaccount/default),并且psp/unrestricted应该在 中申请namespace/unrestricted。我已经完成了基本工作(PodSecurityPolicy安装了准入控制器等),并且已准备好以下资源:
apiVersion: v1
kind: List
items:
- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user
namespace: restricted
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user
namespace: restricted
subjects:
- kind: Group
name: user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: user
apiGroup: rbac.authorization.k8s.io
- kind: PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
- kind: PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: unrestricted
spec:
privileged: true
hostNetwork: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
- kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- restricted
- kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: unrestricted
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- unrestricted
- kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted
subjects:
- kind: ServiceAccount
name: default
namespace: restricted
- kind: User
name: user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: restricted
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: unrestrictied
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: unrestricted
roleRef:
kind: ClusterRole
name: unrestricted
apiGroup: rbac.authorization.k8s.io
在许可方面use,一切看起来都符合预期,例如:
kubectl auth can-i use podsecuritypolicy/restricted --as user --as-group=system:authenticated # yes
kubectl auth can-i use podsecuritypolicy/unrestricted --as user --as-group=system:authenticated # no
但我观察到,虽然serviceaccount:restricrted:default无法在中创建特权 pod namespace/restricted,但用户user显然仍然可以(当该用户通过集群身份验证时):
kubectl create -f - <<EOF # succeeds (as expected)
apiVersion: v1
kind: Pod
metadata:
name: unprivileged-test-pod
namespace: restricted
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
kubectl create -f - <<EOF # succeeds (unexpected)
apiVersion: v1
kind: Pod
metadata:
name: privileged-test-pod
namespace: restricted
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
securityContext:
privileged: true
EOF
两个创建的容器都带有注释,而我原本以为当用户在 中进行身份验证时kubernetes.io/psp: unrestricted创建会失败。事情按预期进行(即,通过命名空间 间接创建受限和不受限制的部署分别成功和失败。不知何故,用户(而不是服务帐户)似乎绑定了太宽的安全策略。pod/unrestricteduserkubectl create deploymentserviceaccount:defaultrestricted
我错过了什么?如何进一步诊断并解决问题(即防止和用户在serviceaccount/default中创建特权 pod ?namespace/restrictedusernamespace/restricted
更新我认为我现在已经找出了根本原因,但还不知道一个好的解决方案。似乎还resources: ["*"]授予了对任何(集群范围)资源的权限。这是无意的:我希望允许内部的“常规”活动,而不是让它也允许任何活动。verbs: ["*"]role/userusepsprole/userusernamespace/restrictedusepsp
答案1
诊断(见更新)是正确的。解决方案是从专有的role/user(权限太过广泛)切换{apiGroups: ["*"], resources: ["*"], verbs: ["*"]}到 Kubernetes 默认的clusterrole/edit(特别排除apiGroup:"policy"、resource:"podsecuritypolicy"、verb:"use"。