kubernetes - 如何禁用运行容器的 weavescope shell/bash 提示
问题描述
如何禁用 exec shell(shell/bash 提示符),使用户无法以 root 用户身份进入正在运行的容器?
解决方案
如果您在生产环境中运行 weave 范围,您可能需要限制 2 个主要内容:
1、K8s worker节点shell访问和Pods shell访问
为了禁用控件,编织范围提供了开箱即用的解决方案,"--probe.no-controls=true"
您需要将探针作为启动参数传递给您的weave-scope-agent。
最终文件将如下所示:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: weave-scope-agent
labels:
name: weave-scope-agent
app: weave-scope
weave-cloud-component: scope
weave-scope-component: agent
namespace: weave
spec:
minReadySeconds: 5
selector:
matchLabels:
app: weave-scope
template:
metadata:
labels:
name: weave-scope-agent
app: weave-scope
weave-cloud-component: scope
weave-scope-component: agent
spec:
containers:
- name: scope-agent
args:
- '--probe.no-controls=true'
- '--weave=false'
- '--mode=probe'
- '--probe-only'
- '--probe.kubernetes.role=host'
- '--probe.docker.bridge=docker0'
- '--probe.docker=true'
- 'weave-scope-app.weave.svc.cluster.local.:80'
image: weaveworks/scope:1.11.2
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
privileged: true
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
- name: scope-plugins
mountPath: /var/run/scope/plugins
- name: sys-kernel-debug
mountPath: /sys/kernel/debug
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
operator: Exists
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
- name: scope-plugins
hostPath:
path: /var/run/scope/plugins
- name: sys-kernel-debug
hostPath:
path: /sys/kernel/debug
updateStrategy:
rollingUpdate:
maxUnavailable: 1
请注意,我正在使用--weave=false标志,因为我没有在我的 K8s 集群中使用 weave 作为 CNI,如果您使用的是 weave CNI,请不要传递此标志,否则可能会出现其他明智的意外行为。
2. Pods 删除权限
要禁止 weave 用户删除 pod,您需要使用一些 RBAC 规则。在 RBAC 中允许pod和pod/logs并禁用删除动词。这样做,用户将能够看到 pod 和 pod 日志,但他们将能够删除 pod。
最终的 RBAC 文件将如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
name: weave-scope
name: weave-scope
namespace: weave
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- replicationcontrollers
- services
- nodes
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
#- apiGroups:
# - ""
# resources:
# - pods
# verbs:
# - delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- deployments/scale
verbs:
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- extensions
resourceNames:
- weave-scope
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- volumesnapshot.external-storage.k8s.io
resources:
- volumesnapshots
- volumesnapshotdatas
verbs:
- list
- watch
推荐阅读
- node.js - 运行 Express.js 时出现 Node.js Package.json 文件错误
- html - 无法增加图像大小以扩展到父级之外
- javascript - 井字游戏正则表达式
- apache-spark - 与看似等效的 PySpark 转换实现不同的结果
- smtp - DNN SendGrid 配置不起作用
- python - 初学者问题:RASP PI 4 - Python - IOError
- vue.js - 带有方法的Vue样式
- pine-script - 如何组合振荡器协同工作?
- kubernetes - 如何在 kubernetes 的同一节点中为一项服务(同一 pod 的多个实例)联系一个随机 pod
- node.js - RabbitmQ Producer & Consumer 的设计建议