Pod 安全策略 - Amazon EKS
Amazon EKS 默认 Pod 安全策略
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Pod 安全策略

Kubernetes pod 安全策略准入控制器针对一系列规则验证 pod 创建和更新请求。默认情况下,Amazon EKS 集群附带完全宽松的安全策略,没有任何限制。有关更多信息,请参阅 Kubernetes 文档中的 Pod 安全策略

注意

仅在运行 Kubernetes 版本 1.13 或更高版本的 Amazon EKS 集群上启用 Pod 安全策略准入控制器。您必须将集群的 Kubernetes 版本更新到至少 1.13 才能使用 pod 安全策略。有关更多信息,请参阅 更新集群

Amazon EKS 默认 Pod 安全策略

带 Kubernetes 版本 1.13 及更高版本的 Amazon EKS 集群具有名为eks.privileged。此策略对于系统中可以接受什么类型的 pod 没有限制,这相当于在禁用 PodSecurityPolicy 控制器的情况下运行 Kubernetes。

注意

创建此策略是为了与未启用 PodSecurityPolicy 控制器的集群保持向后兼容性。您可以针对集群、各个命名空间和服务账户创建更具有限制性的策略,然后删除默认策略以启用这些更具有限制性的策略。

您可以使用以下命令查看默认策略。

kubectl get psp eks.privileged

输出:

NAME             PRIV   CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
eks.privileged   true   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

有关更多详细信息,您可以使用以下命令描述此策略。

kubectl describe psp eks.privileged

输出:

Name:  eks.privileged

Settings:
  Allow Privileged:                       true
  Allow Privilege Escalation:             0xc0004ce5f8
  Default Add Capabilities:               <none>
  Required Drop Capabilities:             <none>
  Allowed Capabilities:                   *
  Allowed Volume Types:                   *
  Allow Host Network:                     true
  Allow Host Ports:                       0-65535
  Allow Host PID:                         true
  Allow Host IPC:                         true
  Read Only Root Filesystem:              false
  SELinux Context Strategy: RunAsAny
    User:                                 <none>
    Role:                                 <none>
    Type:                                 <none>
    Level:                                <none>
  Run As User Strategy: RunAsAny
    Ranges:                               <none>
  FSGroup Strategy: RunAsAny
    Ranges:                               <none>
  Supplemental Groups Strategy: RunAsAny
    Ranges:                               <none>

以下示例显示 eks.privileged pod 安全策略、其群集角色和集群角色绑定的完整 YAML 文件。 

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: eks.privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: eks:podsecuritypolicy:privileged
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
rules:
- apiGroups:
  - policy
  resourceNames:
  - eks.privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: eks:podsecuritypolicy:authenticated
  annotations:
    kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: eks:podsecuritypolicy:privileged
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated

删除默认 pod 安全策略

为您的集群创建自定义 pod 安全策略后,您可以删除默认 Amazon EKSeks.privileged容器安全策略以启用自定义策略。

  1. 创建一个名为 privileged-podsecuritypolicy.yaml 的文件,并将上述示例中的完整 eks.privileged YAML 文件内容粘贴到该文件中(这将允许您删除与其关联的 pod 安全策略、ClusterRoleClusterRoleBinding)。

  2. 使用以下命令删除 YAML。

    kubectl delete -f privileged-podsecuritypolicy.yaml

安装或恢复默认 Pod 安全策略

如果您要从 Kubernetes 的早期版本升级,或者您已修改或删除默认的 Amazon EKSeks.privilegedPod 安全策略,则可以使用以下步骤还原它。

  1. 创建一个名为 privileged-podsecuritypolicy.yaml 的文件,并将以下YAML 文件内容粘贴到该文件中。 

    ---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: eks.privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: eks:podsecuritypolicy:privileged
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
rules:
- apiGroups:
  - policy
  resourceNames:
  - eks.privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: eks:podsecuritypolicy:authenticated
  annotations:
    kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
  labels:
    kubernetes.io/cluster-service: "true"
    eks.amazonaws.com/component: pod-security-policy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: eks:podsecuritypolicy:privileged
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated

  2. 使用以下命令应用 YAML。

    kubectl apply -f privileged-podsecuritypolicy.yaml