@lijiang

Sculpting in time

Do one thing and do it well.
Every story has a beginning and an end.

Kubernetes Pod Security Admission

upgrade my k8s production cluster from v1.24.4 t v1.25.0

1 分钟

今天我将自运营的kubernetes生产环境集群升级到了v1.25.0,升级过程中遇到了一个问题,集群中使用了PodSecurityPolicy,然而在kube v1.25.0中PodSecurityPolicy已经被移除,并且被pod security admission(psa)取代。于是我需要将PodSecurityPolicy合并到psa中。对此我对psa进行了一些调研。

PSA在v1.25.0版本中已经被定义为稳定接口,并且默认开启了PodSecurity控制器。PSA控制器将pod强制在一个特定权限的环境中运行,通过在namespace中创建权限规则,该namespace下的所有pod对宿主环境的访问将被限制在该权限之下。

pod security 级别分为:

  1. privileged:拥有系统级别的特权
apiVersion: v1
kind: Namespace
metadata:
  name: my-privileged-namespace
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
  1. baseline:基础权限,满足大部分pod的运行时权限 - 详细阅读
apiVersion: v1
kind: Namespace
metadata:
  name: my-baseline-namespace
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest
  1. restricted:非常严格的限制权限 - 详细阅读
apiVersion: v1
kind: Namespace
metadata:
  name: my-restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

kubernetes 控制器通过给namespace标记标签来定义pod的权限级别,其中的security mode分为enforce,audit,warn。

  1. Enforce:违反权限级别的pod将被拒绝运行

  2. Audit:违反权限级别的pod的信息将被记录到审计日志中,但照常运行

  3. Warn:有违反权限级别的pod,集群只发出警告

具体定义如下:

# The per-mode level label indicates which policy level to apply for the mode.
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# LEVEL must be one of `privileged`, `baseline`, or `restricted`.
pod-security.kubernetes.io/<MODE>: <LEVEL>

# Optional: per-mode version label that can be used to pin the policy to the
# version that shipped with a given Kubernetes minor version (for example v1.25).
#
# MODE must be one of `enforce`, `audit`, or `warn`.
# VERSION must be a valid Kubernetes minor version, or `latest`.
pod-security.kubernetes.io/<MODE>-version: <VERSION>

最新文章

分类

关于

Keep thinking, Stay curious
Always be sensitive to new things