k8s资源之podSecurityPolicy

k8s资源之podSecurityPolicy

​​istio多集群探秘，部署了50次多集群后我得出的结论​​

​​istio多集群链路追踪，附实操视频​​

​​istio防故障利器，你知道几个,istio新手不要读，太难！​​

​​istio业务权限控制，原来可以这么玩​​

​​istio实现非侵入压缩，微服务之间如何实现压缩​​

​​不懂envoyfilter也敢说精通istio系列-filter-再也不用再代码里写csrf逻辑了​​

​​不懂envoyfilter也敢说精通istio系列filter​​

​​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​​

​​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​​

​​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​​

————————————————

PodSecurityPolicy：

•Pod 安全策略 是集群级别的资源，它能够控制 Pod 运行的行为，以及它具有访问什么的能力。 PodSecurityPolicy对象定义了一组条件，指示 Pod 必须按系统所能接受的顺序运行

允许的控制：

开启PodSecurityPolicy：

•配置apiserver增加admission plugin PodSecurityPolicy即可。

•--enable-admission-plugins=NodeRestriction,PodSecurityPolicy

privileged：

[root@master01 privileged]# cat ./*apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginx securityContext: privileged: trueapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: privileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'spec: privileged: true allowPrivilegeEscalation: true allowedCapabilities: - '*' volumes: - '*' hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny'

RunAsUser：

[root@master01 runAsUser]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: runasuserspec: runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim'apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: runasuserspec: runAsUser: rule: 'MustRunAs' ranges: - min: 1 max: 65535 seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim'apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: runasuserspec: runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim'

SELinux：

[root@master01 selinux]# cat ./*apiVersion: v1kind: Podmetadata: name: nginxspec: securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: selinuxspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'RunAsAny' seLinux: rule: 'MustRunAs' seLinuxOptions: level: "s0:c2,c3" supplementalGroups: rule: 'MustRunAs' ranges: - min: 0 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 0 max: 65535 readOnlyRootFilesystem: false

supplementalGroups：

[root@master01 supplementalGroups]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: supplementalgroupsspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 10 max: 65535 fsGroup: rule: 'RunAsAny'apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: supplementalgroupsspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny'

FSGroup：

[root@master01 fsGroup]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: fsgroupsspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 10 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 20 max:65535apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: fsgroupsspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny'

runAsGroup：

[root@master01 runAsGroup]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: runasgroupspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'MustRunAs' ranges: - min: 10 max: 65535 seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny'apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: runasgroupspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny'

HostPorts：

[root@master01 HostPorts]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: hostportsspec: volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' hostPorts: - min: 65532 max: 65535apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginx ports: - containerPort: 80 hostPort: 8080

AllowedHostPaths：

[root@master01 allowedHostPaths]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: allowedhostpathsspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' allowedHostPaths: - pathPrefix: "/foo" readOnly: trueapiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginx ports: - containerPort: 80 volumeMounts: - mountPath: /usr/share/nginx/html name: html volumes: - name: html hostPath: path: /data type: DirectoryOrCreate

hostIPC：

[root@master01 hostIPC]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: hostipcspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' hostIPC: falseapiVersion: v1kind: Podmetadata: name: nginxspec: hostIPC: true containers: - image: nginx name: nginx ports: - containerPort: 80 volumeMounts: - mountPath: /usr/share/nginx/html name: html volumes: - name: html hostPath: path: /data type: DirectoryOrCreate

hostPID：

[root@master01 hostPID]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: hostpidspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' hostPID: falseapiVersion: v1kind: Podmetadata: name: nginxspec: hostPID: true containers: - image: nginx name: nginx ports: - containerPort: 80

hostNetwork：

[root@master01 hostNetwork]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: hostnetworkspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' hostNetwork: false hostPorts: - min: 0 max: 65536apiVersion: v1kind: Podmetadata: name: nginxspec: hostNetwork: true containers: - image: nginx name: nginx ports: - containerPort: 80

allowPrivilegeEscalation：

[root@master01 allowPrivilegeEscalation]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: allowprivilegeescalationspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' allowPrivilegeEscalation: falseapiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true

requiredDropCapabilities：

[root@master01 requiredDropCapabilities]# cat ./*apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: requireddropcapabilitiesspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' requiredDropCapabilities: - CHOWN

allowedCapabilities：

[root@master01 allowedCapabilities]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: requireddropcapabilitiesspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' allowedCapabilities: - NET_ADMINapiVersion: v1kind: Podmetadata: name: security-context-demo-6spec: securityContext: runAsNonRoot: true containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"]

defaultAddCapabilities：

[root@master01 defaultAddCapabilities]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: requireddropcapabilitiesspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' defaultAddCapabilities: - NET_ADMIN - SYS_TIMEapiVersion: v1kind: Podmetadata: name: security-context-demo-6spec: securityContext: runAsNonRoot: true containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000" securityContext: capabilities: add: ["NET_ADMIN", "SYS_TIME"]

readOnlyRootFilesystem：

[root@master01 readOnlyRootFilesystem]# cat ./*apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - image: nginx name: nginxapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: readonlyrootfilesystemspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' readOnlyRootFilesystem: true

allowedUnsafeSysctls：

[root@master01 allowedUnsafeSysctls]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: allowedunsafesysctlsspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' allowedUnsafeSysctls: - net.ipv4.ip_forwardapiVersion: v1kind: Podmetadata: name: security-context-demo-10spec: securityContext: sysctls: - name: net.ipv4.ip_forward value: "1" containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000"

forbiddenSysctls：

[root@master01 forbiddenSysctls]# cat ./*apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: forbiddensysctlsspec: volumes: - '*' runAsUser: rule: 'RunAsAny' runAsGroup: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' forbiddenSysctls: - net.ipv4.ip_forwardapiVersion: v1kind: Podmetadata: name: security-context-demo-10spec: securityContext: sysctls: - name: net.ipv4.ip_forward value: "1" containers: - name: sec-ctx-4 image: busybox args: - "sh" - "-c" - "sleep 36000"

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。