设为首页收藏本站language→→ 语言切换
开启辅助访问 切换到宽版

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

鸿鹄论坛»鸿鹄论坛 ≡□≡合作培训机构(排名不分先后)≡□≡ 诺普 诺普培训《K8S安全技术文章分享》
返回列表 发新帖
查看: 1330|回复: 1
收起左侧

诺普培训《K8S安全技术文章分享》

[复制链接]
Tiffany_Hsu
发表于 2022-3-7 10:45:41 | 显示全部楼层 |阅读模式
K8S安全系统-PSP
Pod Security Policy

Pod Security Policy 是 kubernetes中一种集群级别的资源,它定义了用户能否在Pod中使用各种安全相关的特性,PSP可以做哪些事情?


· 允许和拒绝Pod使用宿主节点的PID,IPC,网络命名空间
· 允许和拒绝Pod绑定到宿主节点端口
· 容器运行时允许和拒绝Pod使用的用户ID
· 是否允许特权模式的POD

                               
登录/注册后可看大图

这次,诺普培训的邓老师给大家带来了一篇干货满满的K8S技术文章,希望对广大学员们有所帮助。实战如下:

#默认psp没有开启:psp 无效;
ubuntu@cks-1:~$ kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME               PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
gatekeeper-admin   false          RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,projected,secret,downwardAPI
ubuntu@cks-1:~$

ubuntu@cks-1:~/LFS260/SOLUTIONS/s_04$ kubectl delete -f gatekeeper.yaml
namespace "gatekeeper-system" deleted
resourcequota "gatekeeper-critical-pods" deleted
customresourcedefinition.apiextensions.k8s.io "configs.config.gatekeeper.sh" deleted
customresourcedefinition.apiextensions.k8s.io "constraintpodstatuses.status.gatekeeper.sh" deleted
customresourcedefinition.apiextensions.k8s.io "constrainttemplatepodstatuses.status.gatekeeper.sh" deleted
customresourcedefinition.apiextensions.k8s.io "constrainttemplates.templates.gatekeeper.sh" deleted
serviceaccount "gatekeeper-admin" deleted
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy "gatekeeper-admin" deleted
role.rbac.authorization.k8s.io "gatekeeper-manager-role" deleted
clusterrole.rbac.authorization.k8s.io "gatekeeper-manager-role" deleted
rolebinding.rbac.authorization.k8s.io "gatekeeper-manager-rolebinding" deleted
clusterrolebinding.rbac.authorization.k8s.io "gatekeeper-manager-rolebinding" deleted
secret "gatekeeper-webhook-server-cert" deleted
service "gatekeeper-webhook-service" deleted
deployment.apps "gatekeeper-audit" deleted
deployment.apps "gatekeeper-controller-manager" deleted
Warning: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
poddisruptionbudget.policy "gatekeeper-controller-manager" deleted
validatingwebhookconfiguration.admissionregistration.k8s.io "gatekeeper-validating-webhook-configuration" deleted

ubuntu@cks-1:~$ kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
No resources found
ubuntu@cks-1:~$

#在没有开启PSP功能的情况下,创建拒绝提权的POD;
ubuntu@cks-1:~$ touch unprivileged-psp.yaml
ubuntu@cks-1:~$ vim unprivileged-psp.yaml
ubuntu@cks-1:~$ cat unprivileged-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: unprivileged-psp
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl create -f unprivileged-psp.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/unprivileged-psp created
ubuntu@cks-1:~$ kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME               PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
unprivileged-psp   false          RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
ubuntu@cks-1:~$

#在没有开启PSP的前提下还是可以创建提权的pod;
ubuntu@cks-1:~$ kubectl create -f privileged-pod.yaml
pod/privileged-pod created

ubuntu@cks-1:~$

#此时POD可以正常使用和在POD内部提权到root权限;

#在K8S中开启psp;
#删除掉之前创建的POD;
ubuntu@cks-1:~$ kubectl delete pods privileged-pod --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "privileged-pod" force deleted
ubuntu@cks-1:~$

#修改kube-apiserver.yaml;
root@cks-1:/etc/kubernetes/manifests# cat kube-apiserver.yaml | head -n 30
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.19.0.11:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.19.0.11
    - --token-auth-file=/etc/kubernetes/pki/users.txt
    - --profiling=false
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
root@cks-1:/etc/kubernetes/manifests#

#重启kubelet服务,使配置生效;
root@cks-1:~# systemctl restart kubelet

ubuntu@cks-1:~$ kubectl get pods -n kube-system
NAME                                        READY   STATUS    RESTARTS   AGE
calico-kube-controllers-6b9fbfff44-ltm9g    1/1     Running   3          4d
calico-node-r72x7                           1/1     Running   3          4d
calico-node-vt447                           1/1     Running   3          3d23h
coredns-558bd4d5db-9w7h6                    1/1     Running   3          4d
coredns-558bd4d5db-wv6v2                    1/1     Running   3          4d
etcd-cks-1.example.com                      1/1     Running   3          4d
kube-controller-manager-cks-1.example.com   1/1     Running   8          4d
kube-proxy-7t27k                            1/1     Running   3          3d23h
kube-proxy-vq295                            1/1     Running   3          4d
kube-scheduler-cks-1.example.com            1/1     Running   8          4d
ubuntu@cks-1:~$

#再创建一个psp: 允许提权;
ubuntu@cks-1:~$ vim privileged-psp.yaml
ubuntu@cks-1:~$ cat privileged-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged-psp
spec:
  privileged: true  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl create -f privileged-psp.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/privileged-psp created
ubuntu@cks-1:~$ kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME               PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
privileged-psp     true           RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
unprivileged-psp   false          RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl get pods -n kube-system
NAME                                        READY   STATUS    RESTARTS   AGE
calico-kube-controllers-6b9fbfff44-ltm9g    1/1     Running   3          4d
calico-node-r72x7                           1/1     Running   3          4d
calico-node-vt447                           1/1     Running   3          4d
coredns-558bd4d5db-9w7h6                    1/1     Running   3          4d
coredns-558bd4d5db-wv6v2                    1/1     Running   3          4d
etcd-cks-1.example.com                      1/1     Running   3          4d
kube-controller-manager-cks-1.example.com   1/1     Running   8          4d
kube-proxy-7t27k                            1/1     Running   3          4d
kube-proxy-vq295                            1/1     Running   3          4d
kube-scheduler-cks-1.example.com            1/1     Running   8          4d
ubuntu@cks-1:~$

#创建普通pod和提权pod;
ubuntu@cks-1:~$ kubectl create -f normal-pod.yaml
pod/normal-pod created
ubuntu@cks-1:~$ kubectl create -f privileged-pod.yaml
pod/privileged-pod created
ubuntu@cks-1:~$

#用户要使用psp策略,必须有use权限;
ubuntu@cks-1:~$ kubectl auth can-i use psp/privileged-psp
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl auth can-i use psp/unprivileged-psp
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
ubuntu@cks-1:~$

#使用Mary在default 中创建 role: admin-pod, verb: get,list,watch, delete,run ,create;
ubuntu@cks-1:~$ kubectl create role --resource=pods --verb=get,list,watch,create,delete --dry-run=client admin-pod -o yaml > admin-pod.yaml
ubuntu@cks-1:~$ kubectl create -f admin-pod.yaml
role.rbac.authorization.k8s.io/admin-pod created
ubuntu@cks-1:~$ kubectl get roles
NAME        CREATED AT
admin-pod   2022-01-16T13:40:00Z
ubuntu@cks-1:~$

#将role: admin-pod 绑定给mary;
ubuntu@cks-1:~$ kubectl create rolebinding --role=admin-pod --user=mary mary-rb-admin-pod --dry-run=client -o yaml > mary-rb-admin-pod.yaml
ubuntu@cks-1:~$ kubectl create -f mary-rb-admin-pod.yaml
rolebinding.rbac.authorization.k8s.io/mary-rb-admin-pod created

ubuntu@cks-1:~$ ls
admin-pod.yaml  kube-bench_0.6.5_linux_amd64.deb     mary_csr.yaml           privileged-psp.yaml
Assessor-CLI    LFS260                               mary-rb-admin-pod.yaml  trivy_0.22.0_Linux-64bit.deb
CIS-Cat.zip     LFS260_V2021-08-10_SOLUTIONS.tar.xz  normal-pod.yaml         unprivileged-psp.yaml
install_k8s.sh  mary                                 privileged-pod.yaml
ubuntu@cks-1:~$

#测试;
ubuntu@cks-2:~$ cd .kube/
ubuntu@cks-2:~/.kube$ ls
cache  config.backup
ubuntu@cks-2:~/.kube$ mv config.backup config.backup
mv: 'config.backup' and 'config.backup' are the same file
ubuntu@cks-2:~/.kube$ mv config.backup config
ubuntu@cks-2:~/.kube$

ubuntu@cks-2:~$ kubectl auth can-i use psp/privileged-psp
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
no
ubuntu@cks-2:~$ kubectl auth can-i use psp/unprivileged-psp
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
no
ubuntu@cks-2:~$

ubuntu@cks-2:~$ kubectl run --image=nginx mypod -n default
Error from server (Forbidden): pods "mypod" is forbidden: PodSecurityPolicy: unable to admit pod: []
ubuntu@cks-2:~$

#创建 privileged-psp-rule;
ubuntu@cks-1:~$ kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME               PRIV    CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
privileged-psp     true           RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
unprivileged-psp   false          RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *
ubuntu@cks-1:~$ cat unprivileged-psp-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: unprivileged-psp-role
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - unprivileged-psp
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl create -f unprivileged-psp-role.yaml

ubuntu@cks-1:~$ kubectl get role -n default
NAME                    CREATED AT
admin-pod               2022-01-16T13:40:00Z
unprivileged-psp-role   2022-01-16T13:53:32Z
ubuntu@cks-1:~$

#将mary与unprivileged-psp-role 绑定;
ubuntu@cks-1:~$ vim mary-rb-unprivileged-psp-role.yaml
ubuntu@cks-1:~$ cat mary-rb-unprivileged-psp-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: mary-rb-unprivileged-psp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: unprivileged-psp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: mary
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl create -f mary-rb-unprivileged-psp-role.yaml
rolebinding.rbac.authorization.k8s.io/mary-rb-unprivileged-psp created
ubuntu@cks-1:~$

ubuntu@cks-2:~$
ubuntu@cks-2:~$ kubectl auth can-i use psp/unprivileged-psp
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
ubuntu@cks-2:~$ kubectl auth can-i use psp/privileged-psp
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
no
ubuntu@cks-2:~$

ubuntu@cks-1:~$ scp normal-pod.yaml privileged-pod.yaml ubuntu@172.19.0.3:~/
ubuntu@172.19.0.3's password:
normal-pod.yaml                                                                      100%  247   597.6KB/s   00:00
privileged-pod.yaml                                                                  100%  302   614.1KB/s   00:00
ubuntu@cks-1:~$

ubuntu@cks-1:~$ kubectl delete pod normal-pod --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "normal-pod" force deleted
ubuntu@cks-1:~$ kubectl delete pod privileged-pod --force
warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "privileged-pod" force deleted
ubuntu@cks-1:~$

ubuntu@cks-2:~$ kubectl create -f normal-pod.yaml
pod/normal-pod created

#测试结果,无法创建提权root的pod,提高pod的安全;
ubuntu@cks-2:~$ kubectl create -f privileged-pod.yaml
Error from server (Forbidden): error when creating "privileged-pod.yaml": pods "privileged-pod" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
ubuntu@cks-2:~$


关于诺普

                               
登录/注册后可看大图

诺普(深圳)咨询服务有限公司(简称ROPU)是专注于IT运维的最佳实践与传播,提供领先于业界的“IT运维技能及厂商认证培训”,“企业IT定制化内训,以及”高校IT基础性人才的培养,与全球著名授权机构、IT厂商建立长期合作伙伴关系,旨在为企业及运维人员提升IT自动化技能,为员工的技能转型及企业数字化转型提供最具价值的培训服务。

联系我们
电话:07755-82558626
林老师:18926480845
地址:深圳市福田区车公庙苍松大厦南座1115

                               
登录/注册后可看大图

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2025-1-24 16:44 , Processed in 0.068135 second(s), 10 queries , Redis On.  

  Powered by Discuz!

  © 2001-2025 HH010.COM

快速回复 返回顶部 返回列表