Kubernetes Pod Security Admission
upgrade my k8s production cluster from v1.24.4 t v1.25.0
今天我将自运营的kubernetes生产环境集群升级到了v1.25.0,升级过程中遇到了一个问题,集群中使用了PodSecurityPolicy,然而在kube v1.25.0中PodSecurityPolicy已经被移除,并且被pod security admission(psa)取代。于是我需要将PodSecurityPolicy合并到psa中。对此我对psa进行了一些调研。
PSA在v1.25.0版本中已经被定义为稳定接口,并且默认开启了PodSecurity控制器。PSA控制器将pod强制在一个特定权限的环境中运行,通过在namespace中创建权限规则,该namespace下的所有pod对宿主环境的访问将被限制在该权限之下。
pod security 级别分为:
- privileged:拥有系统级别的特权
apiVersion: v1
kind: Namespace
metadata:
name: my-privileged-namespace
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
- baseline:基础权限,满足大部分pod的运行时权限 - 详细阅读
apiVersion: v1
kind: Namespace
metadata:
name: my-baseline-namespace
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest
- restricted:非常严格的限制权限 - 详细阅读
apiVersion: v1
kind: Namespace
metadata:
name: my-restricted-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
kubernetes 控制器通过给namespace标记标签来定义pod的权限级别,其中的security mode分为enforce,audit,warn。
-
Enforce:违反权限级别的pod将被拒绝运行
-
Audit:违反权限级别的pod的信息将被记录到审计日志中,但照常运行
-
Warn:有违反权限级别的pod,集群只发出警告
具体定义如下:
# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>
# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>
