时间戳

首页 > 解决方案 > Pod 安全策略 - Pod 无法创建文件

kubernetes - Pod 安全策略 - Pod 无法创建文件

问题描述

我们尝试应用 pods 安全规则,如下所示:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: taap-restricted-psp
  annotations:
    # https://docs.docker.com/engine/security/seccomp/
    # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
spec:
  privileged: false
  # Required to prevent escalations to root
  allowPrivilegeEscalation: false  
  requiredDropCapabilities:
    - ALL
  # Allow core volume types.
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    # Assume that persistentVolumes set up by the cluster admin are safe to use.
    - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
   
    rule: 'MustRunAs'  # Don't allow containers to run as ROOT
    ranges:
      - max: 65535
        min: 1
  seLinux:
   
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false # Requires that containers must run with a read-only root filesystem (i.e. no writable layer)
 
---
 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: taap-restricted-psp-role
  namespace: taap-internal-dev
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - taap-restricted-psp
 
---
 
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: taap-restricted-psp-role-rolebinding
  namespace: taap-internal-dev
roleRef:
  kind: Role
  name: taap-restricted-psp-role
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts # Authorize all service accounts in the namespace
  namespace: taap-internal-dev

并使用下面的 docker 图像,我们授予 taapuser 访问“/app”文件夹的权限

FROM maven:3.6-jdk-8-alpine AS builder
# See https://www.docker.com/blog/intro-guide-to-dockerfile-best-practices/
WORKDIR /app
COPY pom.xml .
COPY 3rdparty 3rdparty/
RUN mvn -e -B dependency:resolve
COPY src ./src
COPY trustStore ./trustStore/
RUN mvn -e -B package
FROM openjdk:8-jre-alpine
RUN apk add curl
WORKDIR /app
COPY --from=builder /app/target/taap_Anonymization.jar ./app.jar
# TODO: package .so file with maven in single jar file
COPY 3rdparty/com/voltage/securedata/enterprise/vibesimplejava/6.0.0/libvibesimplejava.so ./libvibesimplejava.so
COPY trustStore ./trustStore/
# Run container in non-privileged mode
RUN addgroup -g 111 -S taapgroup && \
    adduser -u 111 -S taapuser -G taapgroup
RUN chown -R taapuser /app /var/log
USER taapuser
EXPOSE 8080
CMD ["java", "-Djava.library.path=/app/", "-jar", "/app/app.jar"]

但是当我们尝试运行这个 pod 时,pod 无法在 /app 下创建文件。

我试图更改如下所示的代码并开始工作

RUN chown -R 1 /app /var/log USER 1

我想知道我们是否需要更改 podssecurity 规则,以便 taapuser 可以访问在 /app 文件夹下创建文件

'rule: 'MustRunAsNonRoot'

标签: kubernetespodsecuritypolicy

解决方案

推荐阅读