我正在尝试使用PodSecurityPolicyKeycloak 提供的用户管理的裸机 Kubernetes 1.18.3 集群开始。psp/restricted应该适用于namespace/restricted(对于特定用户user和命名空间的serviceaccount/default),并且psp/unrestricted应该适用于namespace/unrestricted. 我有基本的工作(PodSecurityPolicy安装准入控制器等),并且有以下资源:
apiVersion: v1
kind: List
items:
- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user
namespace: restricted
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: user
namespace: restricted
subjects:
- kind: Group
name: user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: user
apiGroup: rbac.authorization.k8s.io
- kind: PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
- kind: PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: unrestricted
spec:
privileged: true
hostNetwork: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
- kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- restricted
- kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: unrestricted
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- unrestricted
- kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted
subjects:
- kind: ServiceAccount
name: default
namespace: restricted
- kind: User
name: user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: restricted
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: unrestrictied
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: unrestricted
roleRef:
kind: ClusterRole
name: unrestricted
apiGroup: rbac.authorization.k8s.io
在use许可方面,一切看起来都符合预期,例如:
kubectl auth can-i use podsecuritypolicy/restricted --as user --as-group=system:authenticated # yes
kubectl auth can-i use podsecuritypolicy/unrestricted --as user --as-group=system:authenticated # no
但我观察到的是,虽然serviceaccount:restricrted:default无法在 中创建特权 pod namespace/restricted,但用户user显然仍然可以(在该用户通过集群身份验证时):
kubectl create -f - <<EOF # succeeds (as expected)
apiVersion: v1
kind: Pod
metadata:
name: unprivileged-test-pod
namespace: restricted
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
kubectl create -f - <<EOF # succeeds (unexpected)
apiVersion: v1
kind: Pod
metadata:
name: privileged-test-pod
namespace: restricted
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
securityContext:
privileged: true
EOF
两个创建的容器都带有一个 annotation kubernetes.io/psp: unrestricted,而我希望pod/unrestricted在用户user通过身份验证时创建 for 失败。事情按预期工作(即通过命名空间中的成功和失败分别kubectl create deployment间接创建受限制的不受限制的部署。不知何故,用户(但不是服务帐户似乎绑定到了过于广泛的安全策略。serviceaccount:defaultrestricted
我错过了什么?如何进一步诊断和解决问题(即防止serviceaccount/defaultinnamespace/restricted和用户user在namespace/restricted?
更新我想我现在已经隔离了根本原因,但还不知道一个好的解决方案。看起来resources: ["*"],verbs: ["*"]inrole/user也授予use任何(集群范围的)资源的权限psp。这是无意的:我想role/user允许user内部的“常规”活动,而namespace/restricted不是一一允许。usepsp
诊断(见UPDATE)是正确的。该解决方案包括从专有
role/user(具有太多权限){apiGroups: ["*"], resources: ["*"], verbs: ["*"]}切换到 Kubernetes 默认clusterrole/edit(特别排除apiGroup:"policy",resource:"podsecuritypolicy",verb:"use".