Security

儘管有限制 PodSecurityPolicy,經過身份驗證的使用者仍然可以創建 Kubernetes pod

  • August 13, 2020

我正在嘗試使用PodSecurityPolicyKeycloak 提供的使用者管理的裸機 Kubernetes 1.18.3 集群開始。psp/restricted應該適用於namespace/restricted(對於特定使用者user和命名空間的serviceaccount/default),並且psp/unrestricted應該適用於namespace/unrestricted. 我有基本的工作(PodSecurityPolicy安裝准入控制器等),並且有以下資源:

apiVersion: v1
kind: List
items:
- kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: user
   namespace: restricted
 rules:
 - apiGroups: ["*"]
   resources: ["*"]
   verbs: ["*"]
- kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: user
   namespace: restricted
 subjects:
 - kind: Group
   name: user
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: user
   apiGroup: rbac.authorization.k8s.io
- kind: PodSecurityPolicy
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: restricted
 spec:
   privileged: false
   seLinux:
     rule: RunAsAny
   supplementalGroups:
     rule: RunAsAny
   runAsUser:
     rule: RunAsAny
   fsGroup:
     rule: RunAsAny
   volumes:
   - '*'
- kind: PodSecurityPolicy
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: unrestricted
 spec:
   privileged: true
   hostNetwork: true
   seLinux:
     rule: RunAsAny
   supplementalGroups:
     rule: RunAsAny
   runAsUser:
     rule: RunAsAny
   fsGroup:
     rule: RunAsAny
   volumes:
   - '*'
- kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: restricted
 rules:
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]
   verbs: ["use"]
   resourceNames:
   - restricted
- kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: unrestricted
 rules:
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]
   verbs: ["use"]
   resourceNames:
   - unrestricted
- kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: restricted
 subjects:
 - kind: ServiceAccount
   name: default
   namespace: restricted
 - kind: User
   name: user
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: restricted
   apiGroup: rbac.authorization.k8s.io
- kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: unrestrictied
 subjects:
 - kind: Group
   name: system:nodes
   apiGroup: rbac.authorization.k8s.io
 - kind: ServiceAccount
   name: default
   namespace: unrestricted
 roleRef:
   kind: ClusterRole
   name: unrestricted
   apiGroup: rbac.authorization.k8s.io

use許可方面,一切看起來都符合預期,例如:

kubectl auth can-i use podsecuritypolicy/restricted --as user --as-group=system:authenticated # yes
kubectl auth can-i use podsecuritypolicy/unrestricted --as user --as-group=system:authenticated # no

但我觀察到的是,雖然serviceaccount:restricrted:default無法在 中創建特權 pod namespace/restricted,但使用者user顯然仍然可以(在該使用者通過集群身份驗證時):

kubectl create -f - <<EOF # succeeds (as expected)
apiVersion: v1
kind: Pod
metadata:
 name: unprivileged-test-pod
 namespace: restricted
spec:
 containers:
 - name:  pause
   image: k8s.gcr.io/pause
EOF
kubectl create -f - <<EOF # succeeds (unexpected)
apiVersion: v1
kind: Pod
metadata:
 name: privileged-test-pod
 namespace: restricted
spec:
 containers:
 - name:  pause
   image: k8s.gcr.io/pause
   securityContext:
     privileged: true
EOF

兩個創建的容器都帶有一個 annotation kubernetes.io/psp: unrestricted,而我希望pod/unrestricted在使用者user通過身份驗證時創建 for 失敗。事情按預期工作(即通過命名空間中的成功和失敗分別kubectl create deployment間接創建受限制的非限制部署。不知何故,使用者(但不是服務帳戶似乎綁定到了過於廣泛的安全策略。serviceaccount:default``restricted

我錯過了什麼?如何進一步診斷和解決問題(即防止serviceaccount/defaultinnamespace/restricted和使用者usernamespace/restricted?

更新我想我現在已經隔離了根本原因,但還不知道一個好的解決方案。看起來resources: ["*"]verbs: ["*"]inrole/user也授予use任何(集群範圍的)資源的權限psp。這是無意的:我想role/user允許user內部的“正常”活動,而namespace/restricted不是一一允許。use``psp

診斷(見UPDATE)是正確的。該解決方案包括從專有role/user(具有太多權限){apiGroups: ["*"], resources: ["*"], verbs: ["*"]}切換到 Kubernetes 預設clusterrole/edit(特別排除apiGroup: "policy", resource: "podsecuritypolicy", verb: "use".

引用自:https://serverfault.com/questions/1029484