Kubernetes 在集群級(jí)別應(yīng)用Pod安全標(biāo)準(zhǔn)

Note
本教程僅適用于新集群。

Pod 安全準(zhǔn)入（PSA）在 v1.23 及更高版本默認(rèn)啟用， 因?yàn)樗?jí)到測試版（beta）。 Pod 安全準(zhǔn)入是在創(chuàng)建 Pod 時(shí)應(yīng)用 Pod 安全標(biāo)準(zhǔn)的準(zhǔn)入控制器。 本教程將向你展示如何在集群級(jí)別實(shí)施 ?baseline ?Pod 安全標(biāo)準(zhǔn)， 該標(biāo)準(zhǔn)將標(biāo)準(zhǔn)配置應(yīng)用于集群中的所有名稱空間。

在開始之前

在你的工作站中安裝以下內(nèi)容：

• ?KinD ?
• ?kubectl?

正確選擇要應(yīng)用的 Pod 安全標(biāo)準(zhǔn)

Pod 安全準(zhǔn)入 允許你使用以下模式應(yīng)用內(nèi)置的 Pod 安全標(biāo)準(zhǔn): ?enforce?、?audit ?和 ?warn?。

要收集信息以便選擇最適合你的配置的 Pod 安全標(biāo)準(zhǔn)，請(qǐng)執(zhí)行以下操作：

1. 創(chuàng)建一個(gè)沒有應(yīng)用 Pod 安全標(biāo)準(zhǔn)的集群：

kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.23.0

輸出類似于：

Creating cluster "psa-wo-cluster-pss" ...
? Ensuring node image (kindest/node:v1.23.0) 
? Preparing nodes   
? Writing configuration 
? Starting control-plane ?
? Installing CNI 
? Installing StorageClass 
Set kubectl context to "kind-psa-wo-cluster-pss"
You can now use your cluster with:

kubectl cluster-info --context kind-psa-wo-cluster-pss

Thanks for using kind! 

2. 將 kubectl 上下文設(shè)置為新集群：

kubectl cluster-info --context kind-psa-wo-cluster-pss

輸出類似于：

Kubernetes control plane is running at https://127.0.0.1:61350 
CoreDNS is running at https://127.0.0.1:61350/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

3. 獲取集群中的名字空間列表：

kubectl get ns

輸出類似于：

NAME                 STATUS   AGE
default              Active   9m30s
kube-node-lease      Active   9m32s
kube-public          Active   9m32s
kube-system          Active   9m32s
local-path-storage   Active   9m26s

4. 使用 ?--dry-run=server? 來了解應(yīng)用不同的 Pod 安全標(biāo)準(zhǔn)時(shí)會(huì)發(fā)生什么：
• Privileged

kubectl label --dry-run=server --overwrite ns --all \                    
pod-security.kubernetes.io/enforce=privileged

輸出類似于：

namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
namespace/kube-system labeled
namespace/local-path-storage labeled

• Baseline

kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=baseline

輸出類似于：

namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest"
Warning: etcd-psa-wo-cluster-pss-control-plane (and 3 other pods): host namespaces, hostPath volumes
Warning: kindnet-vzj42: non-default capabilities, host namespaces, hostPath volumes
Warning: kube-proxy-m6hwf: host namespaces, hostPath volumes, privileged
namespace/kube-system labeled
namespace/local-path-storage labeled

• Restricted

kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=restricted

輸出類似于：

namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "restricted:latest"
Warning: coredns-7bb9c7b568-hsptc (and 1 other pod): unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: etcd-psa-wo-cluster-pss-control-plane (and 3 other pods): host namespaces, hostPath volumes, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true
Warning: kindnet-vzj42: non-default capabilities, host namespaces, hostPath volumes, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
Warning: kube-proxy-m6hwf: host namespaces, hostPath volumes, privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
namespace/kube-system labeled
Warning: existing pods in namespace "local-path-storage" violate the new PodSecurity enforce level "restricted:latest"
Warning: local-path-provisioner-d6d9f7ffc-lw9lh: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/local-path-storage labeled

從前面的輸出中，你會(huì)注意到應(yīng)用 ?privileged ?Pod 安全標(biāo)準(zhǔn)不會(huì)顯示任何名字空間的警告。 然而，?baseline ?和 ?restricted ?標(biāo)準(zhǔn)都有警告，特別是在 ?kube-system? 名字空間中。

設(shè)置模式、版本和標(biāo)準(zhǔn)

在本節(jié)中，你將以下 Pod 安全標(biāo)準(zhǔn)應(yīng)用于最新（?latest?）版本：

• 在 ?enforce ?模式下的 ?baseline ?標(biāo)準(zhǔn)。
• ?warn ?和 ?audit ?模式下的 ?restricted ?標(biāo)準(zhǔn)。

?baseline ?Pod 安全標(biāo)準(zhǔn)提供了一個(gè)方便的中間立場，能夠保持豁免列表簡短并防止已知的特權(quán)升級(jí)。

此外，為了防止 ?kube-system? 中的 Pod 失敗，你將免除該名字空間應(yīng)用 Pod 安全標(biāo)準(zhǔn)。

在你自己的環(huán)境中實(shí)施 Pod 安全準(zhǔn)入時(shí)，請(qǐng)考慮以下事項(xiàng)：

1. 根據(jù)應(yīng)用于集群的風(fēng)險(xiǎn)狀況，更嚴(yán)格的 Pod 安全標(biāo)準(zhǔn)（如 ?restricted?）可能是更好的選擇。
2. 對(duì) ?kube-system? 名字空間進(jìn)行赦免會(huì)允許 Pod 在其中以 ?privileged ?模式運(yùn)行。 對(duì)于實(shí)際使用，Kubernetes 項(xiàng)目強(qiáng)烈建議你應(yīng)用嚴(yán)格的 RBAC 策略來限制對(duì) ?kube-system? 的訪問， 遵循最小特權(quán)原則。
3. 創(chuàng)建一個(gè)配置文件，Pod 安全準(zhǔn)入控制器可以使用該文件來實(shí)現(xiàn)這些 Pod 安全標(biāo)準(zhǔn)：

mkdir -p /tmp/pss
cat <<EOF > /tmp/pss/cluster-level-pss.yaml 
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "baseline"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system]
EOF

4. 在創(chuàng)建集群時(shí)配置 API 服務(wù)器使用此文件：

cat <<EOF > /tmp/pss/cluster-config.yaml 
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          admission-control-config-file: /etc/config/cluster-level-pss.yaml
        extraVolumes:
          - name: accf
            hostPath: /etc/config
            mountPath: /etc/config
            readOnly: false
            pathType: "DirectoryOrCreate"
  extraMounts:
  - hostPath: /tmp/pss
    containerPath: /etc/config
    # optional: if set, the mount is read-only.
    # default false
    readOnly: false
    # optional: if set, the mount needs SELinux relabeling.
    # default false
    selinuxRelabel: false
    # optional: set propagation mode (None, HostToContainer or Bidirectional)
    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
    # default None
    propagation: None
EOF

說明：
如果你在 macOS 上使用 Docker Desktop 和 KinD， 你可以在菜單項(xiàng) Preferences > Resources > File Sharing 下添加 ?/tmp? 作為共享目錄。

5. 創(chuàng)建一個(gè)使用 Pod 安全準(zhǔn)入的集群來應(yīng)用這些 Pod 安全標(biāo)準(zhǔn)：

kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.23.0 --config /tmp/pss/cluster-config.yaml

輸出類似于：

Creating cluster "psa-with-cluster-pss" ...
 ? Ensuring node image (kindest/node:v1.23.0)  
 ? Preparing nodes   
 ? Writing configuration  
 ? Starting control-plane ? 
 ? Installing CNI  
 ? Installing StorageClass  
Set kubectl context to "kind-psa-with-cluster-pss"
You can now use your cluster with:

kubectl cluster-info --context kind-psa-with-cluster-pss

Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 

6. 將 kubectl 指向集群

kubectl cluster-info --context kind-psa-with-cluster-pss

輸出類似于：

Kubernetes control plane is running at https://127.0.0.1:63855
CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

7. 創(chuàng)建以下 Pod 規(guī)約作為在 default 名字空間中的一個(gè)最小配置：

cat <<EOF > /tmp/pss/nginx-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - image: nginx
      name: nginx
      ports:
        - containerPort: 80
EOF

8. 在集群中創(chuàng)建 Pod：

kubectl apply -f /tmp/pss/nginx-pod.yaml

輸出類似于：

Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/nginx created

清理

運(yùn)行 ?kind delete cluster --name psa-with-cluster-pss? 和 ?kind delete cluster --name psa-wo-cluster-pss? 來刪除你創(chuàng)建的集群。