kubernetes - Kubernetes pod 对集群或命名空间级别的限制
问题描述
我需要在集群级别或命名空间级别上配置以下限制:
- 不允许任何 pod 像 previldged 一样运行
- 不允许 pod 以 uid 0 运行
- 不允许 pod 使用主机网络命名空间
Kubernetes 1.12,带 RBAC
解决方案
在文档中找到了一个示例策略:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
推荐阅读
- reactjs - 从功能性父组件访问子功能 - 反应
- java - 如何将 POST 响应放在字符串的选项卡中?
- ios - 'NSInvalidArgumentException',原因:'-[NSNull renderingMode]:无法识别的选择器发送到实例
- html - 如何在 django 模板的 for 循环中加载图像?
- c# - .netcore 上的 Hangfire 一段时间后无法工作(部署到真实服务器)
- android - ionic 3 inapp 浏览器摄像头访问以进行聊天
- javascript - 通过onClick单击图像时如何从图像中获取信息
- flutter - 是否可以将 pubspec.yaml 文件拆分为多个文件
- jquery - 如何将项目数组作为参数传递给“MVC4 Razor”中的存储过程?
- eclipse - Javadoc 加载减慢了 Eclipse