文章目录
- Pod安全
- 特权容器
- Pod安全策略
- 符合安全规则的Pod
Pod安全
特权容器
- 容器是通过名称空间技术隔离的,有时候我们执行一些应用服务,需要使用或修改敏感的系统信息,这时容器需要突破隔离限制,获取更高的权限,这类容器统称特权容器
- 运行特权容器会有一些安全风险,这种模式下运行容器对宿主机拥有root访问权限,可以突破隔离直接控制宿主机的资源配置
更改容器主机名 和 /etc/hosts 文件
[root@master ~]# vim root.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: root
spec:
terminationGracePeriodSeconds: 0
restartPolicy: Always
hostname: myhost # 特权,修改主机名
hostAliases: # 修改 /etc/hosts
- ip: 192.168.1.30 # IP 地址
hostnames: # 名称键值对
- registry # 主机名
containers:
- name: linux
image: myos:v2009
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- |
while true;do
echo "Hello World."
sleep 5
done
[root@master ~]# kubectl apply -f root.yaml
pod/root created
[root@master ~]# kubectl exec -it root -- /bin/bash
[root@myhost html]# hostname
myhost
[root@myhost html]# cat /etc/hosts
... ...
# Entries added by HostAliases.
192.168.1.30 registry
[root@master ~]# kubectl delete pod root
pod "root" deletedroot特权容器
[root@master ~]# vim root.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: root
spec:
terminationGracePeriodSeconds: 0
restartPolicy: Always
hostPID: true # 特权,共享系统进程
hostNetwork: true # 特权,共享主机网络
containers:
- name: linux
image: myos:v2009
imagePullPolicy: IfNotPresent
securityContext: # 安全上下文值
privileged: true # root特权容器
command: ["/bin/bash"]
args:
- -c
- |
while true;do
echo "Hello World."
sleep 5
done
[root@master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
root 1/1 Running 0 26s
[root@master ~]# kubectl exec -it root -- /bin/bash
[root@node-0001 /]#
# 系统进程特权
[root@node-0001 /]# pstree -p
systemd(1)-+-NetworkManager(510)-+-dhclient(548)
| |-{NetworkManager}(522)
| `-{NetworkManager}(524)
|-agetty(851)
|-chronyd(502)
|-containerd(531)-+-{containerd}(555)
... ...
# 网络特权
[root@node-0001 /]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.51 netmask 255.255.255.0 broadcast 192.168.1.255
ether fa:16:3e:70:c8:fa txqueuelen 1000 (Ethernet)
... ...
# root用户特权
[root@node-0001 /]# mkdir /sysroot
[root@node-0001 /]# mount /dev/vda1 /sysroot
[root@node-0001 /]# mount -t proc /proc /sysroot/proc
[root@node-0001 /]# chroot /sysroot
sh-4.2# : 此处已经是 node 节点上的 root 用户了
# 删除特权容器
[root@master ~]# kubectl delete pod root
pod "root" deletedPod安全策略
- Pod安全策略是集群级别的资源,它能够控制Pod运行的行为,以及它具有访问什么的能力
- kuberbetes服务器版本必须不低于版本 v1.22
- 确保PodSecurity特性门控制被启用
- Pod安全策略:
- privileged:不受限制的策略,提供最大可能范围的权限许可。此策略允许特权提升
- baseline:弱限制性的策略,禁止已知的策略提升权限。允许使用默认的Pod配置
- restricted:非常严格的限制性策略,遵循当前的保护Pod的最佳实践
- Pod准入控制标签(MODE)
- 可以在名称空间上设置标签来定义安全标准。选择的标签定义了检测到潜在违例时,所要采取的动作
- enforce:策略违例会导致Pod被拒绝
- audit:策略违例会触发审计日志,但是Pod仍可被接受
- warn:策略违例会触发用户可见的警告信息,但是Pod仍是被接受的
pod-security.kubernetes.io/<MODE>:<LEVEL>
[root@master ~]# sed '36i\ - --feature-gates=PodSecurity=true' -i /etc/kubernetes/manifests/kube-apiserver.yaml
[root@master ~]# systemctl restart kubelet
# 生产环境设置严格的准入控制
[root@master ~]# kubectl create namespace myprod
namespace/myprod created
[root@master ~]# kubectl label namespaces myprod pod-security.kubernetes.io/enforce=restricted
namespace/myprod labeled
# 测试环境测试警告提示
[root@master ~]# kubectl create namespace mytest
namespace/mytest created
[root@master ~]# kubectl label namespaces mytest pod-security.kubernetes.io/warn=baseline
namespace/mytest labeled
# 创建特权容器
[root@master ~]# kubectl -n myprod apply -f root.yaml
Error from server (Failure): error when creating "root.yaml": host namespaces (hostNetwork=true, hostPID=true), privileged (container "linux" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "linux" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "linux" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "linux" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "linux" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
[root@master ~]#
[root@master ~]# kubectl -n myprod get pods
No resources found in myprod namespace.
[root@master ~]# kubectl -n mytest apply -f root.yaml
Warning: would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true, hostPID=true), privileged (container "linux" must not set securityContext.privileged=true)
pod/root created
[root@master ~]#
[root@master ~]# kubectl -n mytest get pods
NAME READY STATUS RESTARTS AGE
root 1/1 Running 0 7s
[root@master ~]#符合安全规则的Pod
[root@master ~]# vim nonroot.yaml
---
kind: Pod
apiVersion: v1
metadata:
name: nonroot
spec:
terminationGracePeriodSeconds: 0
restartPolicy: Always
containers:
- name: linux
image: myos:v2009
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 99
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop: ["ALL"]
command: ["/bin/bash"]
args:
- -c
- |
while true;do
echo "Hello World."
sleep 30
done
[root@master ~]# kubectl -n myprod apply -f nonroot.yaml
pod/nonroot created
[root@master ~]# kubectl -n myprod get pods
NAME READY STATUS RESTARTS AGE
nonroot 1/1 Running 0 6s
[root@master ~]# kubectl -n myprod exec -it nonroot -- id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
