时间戳

首页 > 解决方案 > k8s PodSecurityPolicy. Drop all capabilities except one

kubernetes - k8s PodSecurityPolicy. Drop all capabilities except one

问题描述

I want to build a pod security policy where I drop all the capabilities and then enable only CHOWN.

The problem is that it seems that "requiredDropCapabilities: ALL" is the main rule and if I configure it to ALL then I can not add individual capabilities with AllowedCapabilities or DefaultAddCapabilities.

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

RequiredDropCapabilities - The capabilities which must be dropped from containers. These capabilities are removed from the default set, and must not be added. Capabilities listed in RequiredDropCapabilities must not be included in AllowedCapabilities or DefaultAddCapabilities

How could I deny all capabilities except one?

--EDIT

This is my example:

PodSecurityPolicy:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: a-pot-root
spec:
  allowPrivilegeEscalation: false
  forbiddenSysctls:
  - '*'
  allowedCapabilities:
  - CHOWN
  requiredDropCapabilities:
  - ALL
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

Then inside the container there is no CHOWN capability:

root@hellonode-6d654c57b8-b8hz8:/app# capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=1(daemon)

Thx.

标签: kubernetes

解决方案

我所做的是评论“- ​​ALL”,添加默认情况下允许的所有“功能选项”,如此处所述,并评论我不需要的功能。

警告:我以为我只需要 CHOWN,但最终需要更多。

  requiredDropCapabilities:
    # - ALL               # Drop all the usual capabilities
    - SETPCAP               # Modify process capabilities.
    - MKNOD               # Create special files using mknod(2).
    - AUDIT_WRITE           # Write records to kernel auditing log.
    # - CHOWN               # Make arbitrary changes to file UIDs and GIDs (see chown(2)).
    - NET_RAW               # Use RAW and PACKET sockets.
    # - DAC_OVERRIDE        # Bypass file read, write, and execute permission checks.
    # - FOWNER            # Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
    - FSETID                # Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
    - KILL                # Bypass permission checks for sending signals.
    # - SETGID            # Make arbitrary manipulations of process GIDs and supplementary GID list.
    # - SETUID            # Make arbitrary manipulations of process UIDs.
    - NET_BIND_SERVICE    # Bind a socket to internet domain privileged ports (port numbers less than 1024).
    - SYS_CHROOT            # Use chroot(2), change root directory.
    - SETFCAP               # Set file capabilities

希望能帮助到你。我一直在寻找答案,但首先找到了你的问题:)

推荐阅读