pod安全策略PSP-2
接着上文继续配置PSP
禁止使用hostNetwork
修改pod1.yaml的内容如下。
root@vms61:~/demo5# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
hostNetwork: true
terminationGracePeriodSeconds: 0
containers:
- image: nginx
imagePullPolicy: IfNotPresent
command: ["sh","-c","sleep 1000000"]
name: pod1
resources: {}
securityContext:
privileged: false
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
root@vms61:~/demo5#
开始创建pod1
root@vms61:~/demo5# kuser apply -f pod1.yaml
Error from server (Forbidden): error when creating "pod1.yaml": pods "pod1" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used]
root@vms61:~/demo5#
这里并没有创建成功,根据报错信息里的提示,是因为不允许使用hostNetwork选项。虽然mypsp1里并没有写允许还是不允许hostNetwork,但是默认是不允许的。
修改mypsp1.yaml内容如下。
root@vms61:~/demo5# cat mypsp1.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mypsp1
spec:
privileged: false #不允许创建特权pod
hostNetwork: true #允许pod使用hostNetwork
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
root@vms61:~/demo5#
让此设置生效
root@vms61:~/demo5# kubectl apply -f mypsp1.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/mypsp1 configured
root@vms61:~/demo5#
再次创建pod1.
root@vms61:~/demo5# kuser apply -f pod1.yaml
pod/pod1 created
root@vms61:~/demo5# kuser get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 4s
root@vms61:~/demo5#
删除pod1.
root@vms61:~/demo5# kuser delete pod pod1
pod "pod1" deleted
root@vms61:~/demo5#
存储
原来mypsp1.yaml的最下面写的是
volumes:
- '*'
即允许任何类型的存储,现在修改只允许emptyDir类型的存储。修改mypsp1.yaml内容如下。
root@vms61:~/demo5# cat mypsp1.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mypsp1
spec:
privileged: false #不允许创建特权pod
hostNetwork: true #允许pod使用hostNetwork
...输出...
volumes:
- 'emptyDir'
root@vms61:~/demo5#
运行mypsp1.yaml
root@vms61:~/demo5# kubectl apply -f mypsp1.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/mypsp1 configured
root@vms61:~/demo5#
查看pod1.yaml的内容
root@vms61:~/demo5# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
hostNetwork: false
terminationGracePeriodSeconds: 0
volumes:
- name: v1
emptyDir: {}
containers:
- image: nginx
imagePullPolicy: IfNotPresent
command: ["sh","-c","sleep 1000000"]
name: pod1
resources: {}
securityContext:
privileged: false
volumeMounts:
- name: v1
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
root@vms61:~/demo5#
注意这里把pod1的hostNetwork设置为了false了,然后创建pod1。
root@vms61:~/demo5# kuser apply -f pod1.yaml
Error from server (Forbidden): error when creating "pod1.yaml": pods "pod1" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.volumes[1]: Invalid value: "projected": projected volumes are not allowed to be used]
root@vms61:~/demo5#
这里创建失败了,因为当创建pod的时候会自动挂载pod所使用的sa的token,这种卷叫做projected类型的卷。所以要想创建pod成功有两种方法:
方法1:在pod.spec里添
加automountServiceAccountToken: false
这个读者自行练习。
方法2:在mypsp1里设置允许projected类型的卷,修改mypsp1.yaml内容如下并让其生效。
root@vms61:~/demo5# cat mypsp1.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mypsp1
spec:
privileged: false #不允许创建特权pod
hostNetwork: true #允许pod使用hostNetwork
...输出...
volumes:
- 'emptyDir'
- 'projected'
root@vms61:~/demo5#
运行mypsp1.yaml
root@vms61:~/demo5# kubectl apply -f mypsp1.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/mypsp1 configured
root@vms61:~/demo5#
再次创建pod1,之后删除。
root@vms61:~/demo5# kuser apply -f pod1.yaml
pod/pod1 created
root@vms61:~/demo5# kuser get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 3s
root@vms61:~/demo5#
可以看到已经可以正确的创建pod1了,然后删除pod1。
root@vms61:~/demo5# kuser delete pod pod1
pod "pod1" deleted
root@vms61:~/demo5#
hostPath
root@vms61:~/demo5# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
hostNetwork: false
terminationGracePeriodSeconds: 0
volumes:
- name: v1
hostPath:
path: /xx
containers:
...输出...
root@vms61:~/demo5#
然后创建pod1。
root@vms61:~/demo5# kuser apply -f pod1.yaml
Error from server (Forbidden): error when creating "pod1.yaml": pods "pod1" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]
root@vms61:~/demo5#
这里创建失败,因为mypsp1不允许使用pod使用hostPath。修改mypsp1.yaml内容如下并让设置生效。
root@vms61:~/demo5# cat mypsp1.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mypsp1
spec:
privileged: false #不允许创建特权pod
hostNetwork: true #允许pod使用hostNetwork
...输出...
volumes:
- 'emptyDir'
- 'projected'
- 'hostPath'
root@vms61:~/demo5#
运行mypsp1.yaml
root@vms61:~/demo5# kubectl apply -f mypsp1.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/mypsp1 configured
root@vms61:~/demo5#
现在mypsp1里允许pod使用3种存储了,现在再次创建pod1。
root@vms61:~/demo5# kuser apply -f pod1.yaml
pod/pod1 created
root@vms61:~/demo5# kuser get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 3s
root@vms61:~/demo5#
可以看到现在是可以创建pod1的,把pod1删除。
root@vms61:~/demo5# kuser delete pod pod1
pod "pod1" deleted
root@vms61:~/demo5#
现在pod可以使用hostPath类型的存储,且可以使用宿主机任一的目录上,比如上面pod1使用的是宿主机的/xx目录。我们也可以在psp里设置hostPath只允许使用宿主机特定的目录,比如/tmp。
修改mypsp1.yaml内容如下并设置其生效。
root@vms61:~/demo5# cat mypsp1.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: mypsp1
spec:
...输出...
volumes:
- 'emptyDir'
- 'projected'
- 'hostPath'
allowedHostPaths:
- pathPrefix: "/tmp"
运行mypsp1.yaml
root@vms61:~/demo5# kubectl apply -f mypsp1.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/mypsp1 configured
root@vms61:~/demo5#
然后再次创建pod1。
root@vms61:~/demo5# kuser apply -f pod1.yaml
Error from server (Forbidden): error when creating "pod1.yaml": pods "pod1" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.volumes[0].hostPath.pathPrefix: Invalid value: "/xx": is not allowed to be used]
root@vms61:~/demo5#
这里并没有创建成功,按报错信息显示hostPath不允许使用/xx目录。
修改pod1.yaml的内容如下并创建pod1。
root@vms61:~/demo5# cat pod1.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod1
name: pod1
spec:
hostNetwork: false
terminationGracePeriodSeconds: 0
volumes:
- name: v1
hostPath:
path: /tmp
...省略...
创建pod1
root@vms61:~/demo5# kuser apply -f pod1.yaml
pod/pod1 created
root@vms61:~/demo5# kuser get pods
NAME READY STATUS RESTARTS AGE
pod1 1/1 Running 0 3s
root@vms61:~/demo5#
可以看到此时是可以创建pod1的。