Giriş
Açıklaması şöyle
Previously, there was PodSecurityPolicy (PSP) but from Kubernetes v1.21, PodSecurityPolicy was deprecated and removed from Kubernetes in v1.25.
Yeni Yöntem
Söz dizimi şöyle
# Mandatory pod-security.kubernetes.io/<MODE>: <LEVEL> # Optional pod-security.kubernetes.io/<MODE>-version: <VERSION>
Level Ne Demek
Açıklaması şöyle. Kısıtlamalar azdan çoğa doğru sıralı
we have to define one of the pod security standards. Currently, there are three pod security standards available.● Privileged—Unrestricted policy, providing the widest possible level of permissions.● Baseline — Minimally restrictive policy which prevents known privilege escalations. There is a comprehensive list of controls that should be enforced or disallowed. For instance, Privileged Pods must be disallowed if we want to create a pod in the Baseline labeled namespace.● Restricted — Heavily restricted policy, the main purpose of this policy is to follow current pod hardening best practices. Similar to Baseline standards there is a list of controls that should be enforced or disallowed. For instance, no container can have root user permissions. Containers must be run as non-root users.
Mode Ne Demek?
Açıklaması şöyle. Enforce ise eğer bir Level ihlal edilirse Pod reddedilir. Audit veya Warn ise Pod reddedilmez ve çalışır ama uyarı verilir
● enforce — Policy violations will cause the pod to be rejected.● audit — Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but are otherwise allowed.● warn — Policy violations will trigger a user-facing warning but are otherwise allowed.
Pod şunu yaparsa Baseline kabul edilir
securityContext:
privileged: truePod şunu yaparsa Restricted kabul edilir
securityContext:
runAsUser: 0Örnek - Baseline + enforce - Yani Privileged Pod Reject
Elimizde şöyle bir namespace ayarı olsun
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2022-11-08T09:26:17Z"
labels:
kubernetes.io/metadata.name: baseline-ns-1
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: v1.25
name: baseline-ns-1
resourceVersion: "4779"
uid: 2a8708f3-6f25-4cfb-84c1-ef6c825e23c5
spec:
finalizers:
- kubernetes
status:
phase: ActiveAçıklaması şöyle
Since we applied labels with “enforce” mode and “baseline” pod security standards, if a pod does not respect the “baseline” standard it will be rejected.
Şu pod başarısız olur
# pod-1.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: pod-1
name: pod-1
namespace: baseline-ns-1
spec:
containers:
- image: nginx
name: pod-1
securityContext:
privileged: trueHata şöyle
Error from server (Forbidden): error when creating "pod-1.yaml": pods "pod-1" is forbidden: violates PodSecurity "baseline:v1.25": privileged (container "pod-1" must not set securityContext.privileged=true)
Örnek - Baseline + Warn - Yani Sadece Log
Elimizde şöyle bir namespace ayarı olsun
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2022-11-08T09:26:17Z"
labels:
kubernetes.io/metadata.name: baseline-ns-1
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: v1.25
name: baseline-ns-1
resourceVersion: "4779"
uid: 2a8708f3-6f25-4cfb-84c1-ef6c825e23c5
spec:
finalizers:
- kubernetes
status:
phase: ActiveBu sefer çalışır. Çıktı şöyle
Warning: would violate PodSecurity "baseline:v1.25": privileged (container "pod-1" must not set securityContext.privileged=true) pod/pod-1 created
Örnek
Elimizde şöyle bir namespace ayarı olsun
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns-2
labels:
# baseline Standard with enforce Mode
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: v1.25
# restricted Standard with warn Mode
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.25Şöyle yaparız
# pod-2.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-2
namespace: baseline-ns-2
spec:
containers:
- name: pod-2
image: nginx
securityContext:
runAsUser: 0Pod çalışır. Çünkü root user kullansa bile restricted yani en sıkı kurallar sadece warn. Baseline root user'a izin verdiği için sıkıntı yok.
Eski Yöntem
Örnek
Şöyle yaparız. Böylece işletim sisteminin her türlü yeteneğine erişebilen privileged pod'lar yasaklanırapiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example spec: privileged: false # Don't allow privileged pods!
Hiç yorum yok:
Yorum Gönder