参考地址
准入控制器ImagePolicyWebhook https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook
kube-apiserver启用控制器 https://kubernetes.io/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/
提示:以下是本篇文章正文内容,下面案例可供参考
一、TASK
Solve this question on: ssh cks4024
Team White created an ImagePolicyWebhook solution at /opt/course/23/webhook on cks4024 which needs to be enabled for the cluster. There is an existing and working webhook-backend Service in Namespace team-white which will be the ImagePolicyWebhook backend.
Create an AdmissionConfiguration at /opt/course/23/webhook/admission-config.yaml which contains the following ImagePolicyWebhook configuration in the same file:
imagePolicy:
kubeConfigFile: /etc/kubernetes/webhook/webhook.yaml
allowTTL: 10
denyTTL: 10
retryBackoff: 20
defaultAllow: true
Configure the apiserver to:
Mount /opt/course/23/webhook at /etc/kubernetes/webhook
Use the AdmissionConfiguration at path /etc/kubernetes/webhook/admission-config.yaml
Enable the ImagePolicyWebhook admission plugin
As result the ImagePolicyWebhook backend should prevent container images containing danger-danger from being used, any other image should still work.
中译
在以下位置解决此问题:ssh cks4024
Team White 创建了一个 ImagePolicyWebhook 解决方案/opt/course/23/webhook ,需要为集群cks4024启用该解决方案。Namespace team-white中有一个现有且正在运行的 Service webhook-backend,它将是 ImagePolicyWebhook 后端。
1、创建一个 AdmissionConfiguration ,其中在同一文件中包含以下 ImagePolicyWebhook 配置:
/opt/course/23/webhook/admission-config.yaml
imagePolicy:
kubeConfigFile: /etc/kubernetes/webhook/webhook.yaml
allowTTL: 10
denyTTL: 10
retryBackoff: 20
defaultAllow: true
2、配置 apiserver 以:
挂载 于 /opt/course/23/webhook/etc/kubernetes/webhook
在 path /etc/kubernetes/webhook/admission-config.yaml中使用 AdmissionConfiguration
启用 ImagePolicyWebhook 准入插件
因此,ImagePolicyWebhook 后端应阻止使用包含的容器映像 ,任何其他映像仍应有效。danger-danger
二、问题解决过程
1.问题一解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks4024
#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks4024:~$ sudo -i
#创建AdmissionConfiguration
root@cks4024:~# vim po.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
configuration:
imagePolicy:
kubeConfigFile: /etc/kubernetes/webhook/webhook.yaml
allowTTL: 10
denyTTL: 10
retryBackoff: 20
defaultAllow: true
root@cks4024:~# kubectl apply -f po.yaml
2.问题二解题
过程如下(示例):
#将 AdmissionConfiguration 注册到 apiserver
root@cks4024:~# cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/s23_kube-apiserver.yaml
root@cks4024:~# vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
...
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # CHANGE
- --admission-control-config-file=/etc/kubernetes/webhook/admission-config.yaml # ADD
...
image: registry.k8s.io/kube-apiserver:v1.30.1
name: kube-apiserver
...
volumeMounts:
- mountPath: /etc/kubernetes/webhook # ADD
name: webhook # ADD
readOnly: true # ADD
...
volumes:
- hostPath: # ADD
path: /opt/course/23/webhook # ADD
type: DirectoryOrCreate # ADD
name: webhook # ADD
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
