儘管有限制 PodSecurityPolicy,經過身份驗證的使用者仍然可以創建 Kubernetes pod
我正在嘗試使用
PodSecurityPolicyKeycloak 提供的使用者管理的裸機 Kubernetes 1.18.3 集群開始。psp/restricted應該適用於namespace/restricted(對於特定使用者user和命名空間的serviceaccount/default),並且psp/unrestricted應該適用於namespace/unrestricted. 我有基本的工作(PodSecurityPolicy安裝准入控制器等),並且有以下資源:apiVersion: v1 kind: List items: - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: user namespace: restricted rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: user namespace: restricted subjects: - kind: Group name: user apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: user apiGroup: rbac.authorization.k8s.io - kind: PodSecurityPolicy apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' - kind: PodSecurityPolicy apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: unrestricted spec: privileged: true hostNetwork: true seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted rules: - apiGroups: ["policy"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: - restricted - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: unrestricted rules: - apiGroups: ["policy"] resources: ["podsecuritypolicies"] verbs: ["use"] resourceNames: - unrestricted - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted subjects: - kind: ServiceAccount name: default namespace: restricted - kind: User name: user apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: restricted apiGroup: rbac.authorization.k8s.io - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: unrestrictied subjects: - kind: Group name: system:nodes apiGroup: rbac.authorization.k8s.io - kind: ServiceAccount name: default namespace: unrestricted roleRef: kind: ClusterRole name: unrestricted apiGroup: rbac.authorization.k8s.io在
use許可方面,一切看起來都符合預期,例如:kubectl auth can-i use podsecuritypolicy/restricted --as user --as-group=system:authenticated # yes kubectl auth can-i use podsecuritypolicy/unrestricted --as user --as-group=system:authenticated # no但我觀察到的是,雖然
serviceaccount:restricrted:default無法在 中創建特權 podnamespace/restricted,但使用者user顯然仍然可以(在該使用者通過集群身份驗證時):kubectl create -f - <<EOF # succeeds (as expected) apiVersion: v1 kind: Pod metadata: name: unprivileged-test-pod namespace: restricted spec: containers: - name: pause image: k8s.gcr.io/pause EOF kubectl create -f - <<EOF # succeeds (unexpected) apiVersion: v1 kind: Pod metadata: name: privileged-test-pod namespace: restricted spec: containers: - name: pause image: k8s.gcr.io/pause securityContext: privileged: true EOF兩個創建的容器都帶有一個 annotation
kubernetes.io/psp: unrestricted,而我希望pod/unrestricted在使用者user通過身份驗證時創建 for 失敗。事情按預期工作(即通過命名空間中的成功和失敗分別kubectl create deployment間接創建受限制的非限制部署。不知何故,使用者(但不是服務帳戶似乎綁定到了過於廣泛的安全策略。serviceaccount:default``restricted我錯過了什麼?如何進一步診斷和解決問題(即防止
serviceaccount/defaultinnamespace/restricted和使用者user在namespace/restricted?更新我想我現在已經隔離了根本原因,但還不知道一個好的解決方案。看起來
resources: ["*"],verbs: ["*"]inrole/user也授予use任何(集群範圍的)資源的權限psp。這是無意的:我想role/user允許user內部的“正常”活動,而namespace/restricted不是一一允許。use``psp
診斷(見UPDATE)是正確的。該解決方案包括從專有
role/user(具有太多權限){apiGroups: ["*"], resources: ["*"], verbs: ["*"]}切換到 Kubernetes 預設clusterrole/edit(特別排除apiGroup:"policy",resource:"podsecuritypolicy",verb:"use".