欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio防故障利器,你知道几个,istio新手不要读,太难!
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
————————————————
PodSecurityPolicy:
•Pod 安全策略 是集群级别的资源,它能够控制 Pod 运行的行为,以及它具有访问什么的能力。 PodSecurityPolicy对象定义了一组条件,指示 Pod 必须按系统所能接受的顺序运行
允许的控制:
开启PodSecurityPolicy:
•配置apiserver增加admission plugin PodSecurityPolicy即可。
•--enable-admission-plugins=NodeRestriction,PodSecurityPolicy
privileged:
[root@master01 privileged]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
RunAsUser:
[root@master01 runAsUser]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
SELinux:
[root@master01 selinux]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: selinux
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'MustRunAs'
seLinuxOptions:
level: "s0:c2,c3"
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 0
max: 65535
readOnlyRootFilesystem: false
supplementalGroups:
[root@master01 supplementalGroups]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: supplementalgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
fsGroup:
rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: supplementalgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
FSGroup:
[root@master01 fsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: fsgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 20
max:65535
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: fsgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
runAsGroup:
[root@master01 runAsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasgroup
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasgroup
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
HostPorts:
[root@master01 HostPorts]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostports
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostPorts:
- min: 65532
max: 65535
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
hostPort: 8080
AllowedHostPaths:
[root@master01 allowedHostPaths]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedhostpaths
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: true
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: html
volumes:
- name: html
hostPath:
path: /data
type: DirectoryOrCreate
hostIPC:
[root@master01 hostIPC]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostipc
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostIPC: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostIPC: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: html
volumes:
- name: html
hostPath:
path: /data
type: DirectoryOrCreate
hostPID:
[root@master01 hostPID]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostpid
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostPID: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostPID: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
hostNetwork:
[root@master01 hostNetwork]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostnetwork
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostNetwork: false
hostPorts:
- min: 0
max: 65536
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostNetwork: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
allowPrivilegeEscalation:
[root@master01 allowPrivilegeEscalation]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowprivilegeescalation
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
requiredDropCapabilities:
[root@master01 requiredDropCapabilities]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
requiredDropCapabilities:
- CHOWN
allowedCapabilities:
[root@master01 allowedCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedCapabilities:
- NET_ADMIN
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
defaultAddCapabilities:
[root@master01 defaultAddCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
defaultAddCapabilities:
- NET_ADMIN
- SYS_TIME
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
readOnlyRootFilesystem:
[root@master01 readOnlyRootFilesystem]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: readonlyrootfilesystem
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: true
allowedUnsafeSysctls:
[root@master01 allowedUnsafeSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedunsafesysctls
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedUnsafeSysctls:
- net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
forbiddenSysctls:
[root@master01 forbiddenSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: forbiddensysctls
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
forbiddenSysctls:
- net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"