kubernetes - k8s PodSecurityPolicy. Drop all capabilities except one
问题描述
I want to build a pod security policy where I drop all the capabilities and then enable only CHOWN.
The problem is that it seems that "requiredDropCapabilities: ALL" is the main rule and if I configure it to ALL then I can not add individual capabilities with AllowedCapabilities or DefaultAddCapabilities.
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
RequiredDropCapabilities - The capabilities which must be dropped from containers. These capabilities are removed from the default set, and must not be added. Capabilities listed in RequiredDropCapabilities must not be included in AllowedCapabilities or DefaultAddCapabilities
How could I deny all capabilities except one?
--EDIT
This is my example:
PodSecurityPolicy:
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: a-pot-root
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
allowedCapabilities:
- CHOWN
requiredDropCapabilities:
- ALL
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
Then inside the container there is no CHOWN capability:
root@hellonode-6d654c57b8-b8hz8:/app# capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=1(daemon)
Thx.
解决方案
我所做的是评论“- ALL”,添加默认情况下允许的所有“功能选项”,如此处所述,并评论我不需要的功能。
警告:我以为我只需要 CHOWN,但最终需要更多。
requiredDropCapabilities:
# - ALL # Drop all the usual capabilities
- SETPCAP # Modify process capabilities.
- MKNOD # Create special files using mknod(2).
- AUDIT_WRITE # Write records to kernel auditing log.
# - CHOWN # Make arbitrary changes to file UIDs and GIDs (see chown(2)).
- NET_RAW # Use RAW and PACKET sockets.
# - DAC_OVERRIDE # Bypass file read, write, and execute permission checks.
# - FOWNER # Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
- FSETID # Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
- KILL # Bypass permission checks for sending signals.
# - SETGID # Make arbitrary manipulations of process GIDs and supplementary GID list.
# - SETUID # Make arbitrary manipulations of process UIDs.
- NET_BIND_SERVICE # Bind a socket to internet domain privileged ports (port numbers less than 1024).
- SYS_CHROOT # Use chroot(2), change root directory.
- SETFCAP # Set file capabilities
希望能帮助到你。我一直在寻找答案,但首先找到了你的问题:)
推荐阅读
- android - 为什么在 react native 中使用蓝牙时会出错?
- java - 在 Spring 上下文初始化之后但在接受请求之前执行方法
- microsoft-teams - 如何通过 Microsoft Teams 中的机器人了解对话 ID
- c++ - RegSetKeyValue 和 RegSetValueEx 有什么区别?
- node.js - node-oracledb 可以调用具有自定义表类型作为参数的 pl/sql 存储过程吗?
- angular - 创建 API 项目后,Visual Studio 看不到添加的 Angular 项目
- sql - 如何使用变量创建动态更新查询?
- android - 应用程序显示错误清单合并失败并出现多个错误
- python - 如何在这个矩形上放置图像?
- javascript - 如何使用浏览器扩展将上传的图像放到 html 画布上?