By default, Kubernetes allows the creation of Pods with privileged containers, which may endanger the system security, while the POD Security Policy (PSP) protects the cluster from privileged PODs by ensuring that requesters have the right to create PODs according to the configuration.
Other plug-ins come from the list of recommended plug-ins in the Kubernetes document.
Then directly create the above deployment:
Deployment.apps/nginx-deploy created.
We can see that the deployment has been successfully created. Now, check the pod, replication set and deployment under the default namespace:
The name-ready state starts aging again.
The expected current ready age of the name.
replicaset.extensions/nginx-deploy-77f7d4c6b4 1 0 0 40
The name is ready with the latest available age.
deployment.extensions/nginx-deploy 0/ 1 0 0 40
As you can see, both replicaset and deployment were created successfully, but the replicaset controller did not create a Pod, so a ServiceAccount is needed at this time.
Connection separation controller
Printed fabric controller
Certificate controller
Cluster role aggregation controller
Cronjob controller
Daemon setting controller
Deployment controller
Interrupt controller
Endpoint controller
Extended controller
Job controller
Namespace controller
Node controller
Photovoltaic protection controller
Pvc protection controller
Replica set controller
Replication controller
Resource Quota-Controller
Service account controller
Service controller
State set controller
Ttl controller
These ServiceAccount specify which controller can resolve the configuration of which policies.
Podsecuritypolicy.policy/restrictive is configured.
Although limited access is enough for most Pod creation, some rights policies are needed for PODs that need to improve access rights. For example, kube-proxy needs to enable the hostNetwork:
The name-ready state starts aging again.
Kube-proxy-4Z4VF11run018d.
$ kubectl get pods-n kube-system kube-proxy-4z4vf-o YAML | grep host network
Host network: correct
Therefore, it is necessary to create a permission policy to enhance the creation permission: (PSP-Permission. Yaml)
Podsecuritypolicy.policy/permissive is configured.
$ TERM kubectl gets psp
Name privcaps selinux runas userfs group supgroup readonly rootfs volume
Allow true RunAsAny RunAsAny RunAsAny leave.
Restricted false * runas any runas any runas any false config map, downwardAPI, emptyDir, persistentVolumeClaim, secret, projected.
Now the configuration is ready, but we need to introduce Kubernetes authorization to determine whether the user requesting Pod creation or ServiceAccount has solved the restrictive or permissive policy, which requires RBAC.
Clusterrole.rbac.authorization.k8s.io/psp-restrictive created.
Clusterrolebinding.rbac.authorization.k8s.io/psp-default created.
Now, let's recreate the deployment defined above:
Deployment.apps "nginx-deploy "has been deleted.
$ kubectl apply -f nginx.yaml
Deployment.apps/nginx-deploy created.
After the creation, we should also look at some resource objects we created in the default namespace:
The name-ready state starts aging again.
Pod/Nginx-deploy-77F7D4C6b4-NJFDL11run013s
The expected current ready age of the name.
replicaset.extensions/nginx-deploy-77f7d4c6b4 1 1 1 13s
The name is ready with the latest available age.
deployment.extensions/nginx-deploy 1/ 1 1 1 13s
We can see that Pods was successfully created, but if we try to do something that is not allowed by the policy, we should be rejected normally. Delete the above deployment first:
Deployment.apps "nginx-deploy "has been deleted.
Now we add hostNetwork: true to nginx-deploy to use this privilege: (nginx-hostnetwork.yaml).
Deployment.apps/nginx-hostnetwork-deploy created.
After creation, you should also look at some resource objects under namespace defaults:
The name-ready state starts aging again.
The expected current ready age of the name.
replicaset.extensions/nginx-hostnetwork-deploy-74c8fbd687 1 0 0 44s
The name is ready with the latest available age.
deployment.extensions/nginx-hostnetwork-deploy 0/ 1 0 0 44
Now we find that ReplicaSet didn't create Pod. You can use the kubectl describe command to view the ReplicaSet resource object we created here to learn more:
Name: nginx-host network-deploy-74c8fbd687
......
Event:
Type the reason age from the email.
-
Warning Failed to create 80s (x 15 over 2m42s) replication set-controller error creation: pod "nginx-host network-deploy-74c8fbd687-"forbidden: unable to verify any pod security policy: [spec. securitycontext. host network: invalid value: true: host network is not allowed]
We can see that obviously the Hostnetwork is not allowed to be used, but in some cases, we do create a Pod using the hostNetwork in a certain namespace (such as kube-system), so we need to create a ClusterRole that allows execution, and then create a RoleBinding for a specific namespace. Bind the ClusterRole here with the related controller ServiceAccount: (PSP-permission-rbac.yaml)
Clusterrole.rbac.authorization.k8s.io/psp-permissive created.
Rolebinding.rbac.authorization.k8s.io/psp-permissive created.
Now, we can use hostNetwork to create Pod under the namespace of kube-system, and change the nginx resource list above to the namespace of kube-system:
Recreate this deployment:
Deployment.apps/nginx-hostnetwork-deploy created.
After creation, check the creation of the corresponding resource object:
The name-ready state starts aging again.
Pod/nginx-host network-deploy-74c8fbd687-7x8px11run02m1
The expected current ready age of the name.
replicaset.extensions/nginx-hostnetwork-deploy-74c8fbd687 1 1 1 2m 1s
The name is ready with the latest available age.
deployment.extensions/nginx-hostnetwork-deploy 1/ 1 1 1 2m 1s
Now we can see that Pod has been successfully created under the namespace kube-system.
Service account/special a has been created.
Then create a RoleBinding to bind the specialsa to the psp-permissive thread above: (specialsa-psp.yaml).
Create the RoleBinding object above:
Rolebinding.rbac.authorization.k8s.io/specialsa-PSP-license creation
Then add the serviceAccount attribute to our deployment above: (nginx-hostnetwork-sa.yaml).
Then directly create:
Deployment.apps/nginx-hostnetwork-deploy is configured.
At this point, we can see that Pod with hostNetwork under namespace default has also been successfully created:
The name-ready state starts aging again.
Pod/nginx-host network-deploy-6c85dbf95-hqt8j11Run 0 65s.
The expected current ready age of the name.
replicaset.extensions/nginx-hostnetwork-deploy-6c85dfbf95 1 1 1 65s
replicaset.extensions/nginx-hostnetwork-deploy-74c8fbd687 0 0 0 3 1m
The name is ready with the latest available age.
deployment.extensions/nginx-hostnetwork-deploy 1/ 1 1 1 3 1m
Above, we described that Pod security policy is a method to protect the creation process of Pod in k8s cluster by using PSP authorization policy.
/Position/Settings -PSP
Using the modified admission controller group