儘管有限制 PodSecurityPolicy,經過身份驗證的使用者仍然可以創建 Kubernetes pod
我正在嘗試使用
PodSecurityPolicy
Keycloak 提供的使用者管理的裸機 Kubernetes 1.18.3 集群開始。psp/restricted
應該適用於namespace/restricted
(對於特定使用者user
和命名空間的serviceaccount/default
),並且psp/unrestricted
應該適用於namespace/unrestricted
. 我有基本的工作(PodSecurityPolicy
安裝准入控制器等),並且有以下資源:apiVersion: v1 kind: List items: - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: user namespace: restricted rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: user namespace: restricted subjects: - kind: Group name: user apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: user apiGroup: rbac.authorization.k8s.io - kind: PodSecurityPolicy apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' - kind: PodSecurityPolicy apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: unrestricted spec: privileged: true hostNetwork: true seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted rules: - apiGroups: ["policy"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: - restricted - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: unrestricted rules: - apiGroups: ["policy"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: - unrestricted - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted subjects: - kind: ServiceAccount name: default namespace: restricted - kind: User name: user apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: restricted apiGroup: rbac.authorization.k8s.io - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: unrestrictied subjects: - kind: Group name: system:nodes apiGroup: rbac.authorization.k8s.io - kind: ServiceAccount name: default namespace: unrestricted roleRef: kind: ClusterRole name: unrestricted apiGroup: rbac.authorization.k8s.io
在
use
許可方面,一切看起來都符合預期,例如:kubectl auth can-i use podsecuritypolicy/restricted --as user --as-group=system:authenticated # yes kubectl auth can-i use podsecuritypolicy/unrestricted --as user --as-group=system:authenticated # no
但我觀察到的是,雖然
serviceaccount:restricrted:default
無法在 中創建特權 podnamespace/restricted
,但使用者user
顯然仍然可以(在該使用者通過集群身份驗證時):kubectl create -f - <<EOF # succeeds (as expected) apiVersion: v1 kind: Pod metadata: name: unprivileged-test-pod namespace: restricted spec: containers: - name: pause image: k8s.gcr.io/pause EOF kubectl create -f - <<EOF # succeeds (unexpected) apiVersion: v1 kind: Pod metadata: name: privileged-test-pod namespace: restricted spec: containers: - name: pause image: k8s.gcr.io/pause securityContext: privileged: true EOF
兩個創建的容器都帶有一個 annotation
kubernetes.io/psp: unrestricted
,而我希望pod/unrestricted
在使用者user
通過身份驗證時創建 for 失敗。事情按預期工作(即通過命名空間中的成功和失敗分別kubectl create deployment
間接創建受限制的非限制部署。不知何故,使用者(但不是服務帳戶似乎綁定到了過於廣泛的安全策略。serviceaccount:default``restricted
我錯過了什麼?如何進一步診斷和解決問題(即防止
serviceaccount/default
innamespace/restricted
和使用者user
在namespace/restricted
?更新我想我現在已經隔離了根本原因,但還不知道一個好的解決方案。看起來
resources: ["*"]
,verbs: ["*"]
inrole/user
也授予use
任何(集群範圍的)資源的權限psp
。這是無意的:我想role/user
允許user
內部的“正常”活動,而namespace/restricted
不是一一允許。use``psp
診斷(見UPDATE)是正確的。該解決方案包括從專有
role/user
(具有太多權限){apiGroups: ["*"], resources: ["*"], verbs: ["*"]}
切換到 Kubernetes 預設clusterrole/edit
(特別排除apiGroup
:"policy"
,resource
:"podsecuritypolicy"
,verb
:"use"
.