K8S开启Seccomp安全机制
1、PSP 激活
vim /etc/systemd/system/kube-apiserver.service
添加:
--enable-admission-plugins=PodSecurityPolicy
systemctl restart kube-apiserver.service
2、创建policy
vim psp-privileged.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: ‘RunAsAny'
kubectl create -f clusterrole-privileged.yaml
3、创建cluster role
vim clusterrole-privileged.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: policyrole
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- privileged
kubectl create -f clusterrole-privileged.yaml
4、role绑定到service account
vim clusterrolebinding-privileged.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: policyrolebinding
roleRef:
kind: ClusterRole
name: policyrole
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: default
namespace: ctsi
kubectl apply -f clusterrolebinding-privileged.yaml