kubernetes-访问控制
kubernetes API 访问控制
原理
Authentication(认证)
• 认证有八种方式,可以用一种或者多种认证方式,如果有一种认证方式通过,就不再
进行其它方式的认证。一般启用X509 Client Certs和Service Accout Tokens两种认证方式。
• Kubernetes集群有2种用户:由Kubernetes管理的Service Accounts (服务账户)和(Users Accounts) 普通账户。k8s中账号与我们所理解的账号不同,它并不是真实存在,它只是形式上存在。
• Authorization(授权)
• 必须经过认证阶段,才到授权请求,根据所有授权策略匹配请求资源属性,决定允许或拒绝请求。授权方式现共有6种,AlwaysDeny、AlwaysAllow、ABAC、RBAC、
Webhook、Node。默认集群强制开启RBAC。
• Admission Control(准入控制)
• 用于拦截请求的一种方式,运行在认证、授权之后,是权限认证链上的最后一环,对请求
访问k8s的API Server的客户端主要分为两类:
• kubectl :用户家目录中的 .kube/config 里面保存了客户端访问API Server的密钥相关
信息,这样当用kubectl访问k8s时,它就会自动读取该配置文件,向API Server发起认
证,然后完成操作请求。
• pod:Pod中的进程需要访问API Server,如果是人去访问或编写的脚本去访问,这类访
问使用的账号为:UserAccount;而Pod自身去连接API Server时,使用的账号是:
ServiceAccount,生产中后者使用居多。
• kubectl向apiserver发起的命令,采用的是http方式,其实就是对URL发起增删改查的操作。
• $ kubectl proxy --port=8888 &
• $ curl http://localhost:8888/api/v1/namespaces/default
• $ curl http://localhost:8888/apis/apps/v1/namespaces/default/deployments
• 以上两种api的区别是:
• api它是一个特殊链接,只有在核心v1群组中的对象才能使用。
• apis 它是一般API访问的入口固定格式名。
• UserAccount与serviceaccount:
• 用户账户是针对人而言的。 服务账户是针对运行在 pod 中的进程而言的。
• 用户账户是全局性的。 其名称在集群各 namespace 中都是全局唯一的,未来的用户资源
不会做 namespace 隔离, 服务账户是 namespace 隔离的。
• 通常情况下,集群的用户账户可能会从企业数据库进行同步,其创建需要特殊权限,并且涉
及到复杂的业务流程。 服务账户创建的目的是为了更轻量,允许集群用户为了具体的任务
创建服务账户 ( 即权限最小化原则 )。
[root@server2 statefulset]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-7777df944c-4ls4d 1/1 Running 3 9d
coredns-7777df944c-gwxzq 1/1 Running 3 9d
etcd-server2 1/1 Running 3 9d
kube-apiserver-server2 1/1 Running 3 9d
kube-controller-manager-server2 1/1 Running 4 9d
kube-flannel-ds-c4zbw 1/1 Running 0 40h
kube-flannel-ds-mpnj2 1/1 Running 0 40h
kube-flannel-ds-pmpwk 1/1 Running 0 40h
kube-proxy-7fvhx 1/1 Running 0 3d19h
kube-proxy-qsk7n 1/1 Running 0 3d19h
kube-proxy-vvglf 1/1 Running 0 3d19h
kube-scheduler-server2 1/1 Running 4 9d
[root@server2 statefulset]# kubectl run demo --image=nginx -it --restart=Never --rm=true -- bash
If you don't see a command prompt, try pressing enter.
root@demo:/# ls
bin docker-entrypoint.d home media proc sbin tmp
boot docker-entrypoint.sh lib mnt root srv usr
dev etc lib64 opt run sys var
root@demo:/# cd etc/nginx/
root@demo:/etc/nginx# ls
conf.d koi-utf mime.types nginx.conf uwsgi_params
fastcgi_params koi-win modules scgi_params win-utf
root@demo:/etc/nginx# cat nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
[root@server2 ~]# kubectl proxy --port=8888 &
[1] 20564
[root@server2 ~]# Starting to serve on 127.0.0.1:8888
[root@server2 ~]# netstat -antlp| grep :8888
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 20564/kubectl
[root@server2 ~]# curl http://localhost:8888/api/v1/namespaces/default
{
"kind": "Namespace",
"apiVersion": "v1",
"metadata": {
"name": "default",
"uid": "2fe0e537-f115-44cf-810c-2a2d5cd0c62d",
"resourceVersion": "210",
"creationTimestamp": "2021-07-24T10:19:16Z",
"labels": {
"kubernetes.io/metadata.name": "default"
},
"managedFields": [
{
"manager": "kube-apiserver",
"operation": "Update",
"apiVersion": "v1",
"time": "2021-07-24T10:19:16Z",
"fieldsType": "FieldsV1",
"fieldsV1": {"f:metadata":{"f:labels":{".":{},"f:kubernetes.io/metadata.name":{}}}}
}
]
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}
[root@server2 ~]# curl http://localhost:8888/apis/apps/v1/namespaces/defaut/deployments
{
"kind": "DeploymentList",
"apiVersion": "apps/v1",
"metadata": {
"resourceVersion": "1092882"
},
"items": []
}
创建serviceaccount:
k8s为用户自动生成认证信息,但没有授权
[root@server2 ~]# kubectl get sa
NAME SECRETS AGE
default 1 9d
[root@server2 ~]# kubectl create sa admin
serviceaccount/admin created
[root@server2 ~]# kubectl get sa
NAME SECRETS AGE
admin 1 2s
default 1 9d
[root@server2 ~]# kubectl get sa admin -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2021-08-03T02:50:54Z"
name: admin
namespace: default
resourceVersion: "1092989"
uid: 7af69a90-9965-474c-b214-85b4a7771297
secrets:
- name: admin-token-s4hsz
[root@server2 ~]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-s4hsz
Tokens: admin-token-s4hsz
Events: <none>
image:game2048
把serviceaccount和pod绑定起来:
[root@server2 ~]# kubectl patch serviceaccount admin -p '{"imagePullSecrets": [{"name":"myregistrykey"}]}'
serviceaccount/admin patched
[root@server2 ~]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: myregistrykey
Mountable secrets: admin-token-s4hsz
Tokens: admin-token-s4hsz
Events: <none>
[root@server2 ~]# cd
[root@server2 ~]# ls
auth ingress-nginx-v0.48.1.tar nfs-client
calico k8s-1.21.3.tar.gz nfs-client-provisioner.yaml
calico-v3.19.1.tar kube-flannel.yml pod
certs metallb statefulset
configmap metallb-v0.10.2.tar volumes
ingress-nginx myapp.tar
[root@server2 ~]# cd configmap/
[root@server2 configmap]# ls
cm1.yml password.txt pod.yaml test
nginx.conf pod2.yaml registry.yaml username.txt
nginx.yaml pod3.yaml secret.yaml
[root@server2 configmap]# kubectl delete -f registry.yaml
pod "mypod" deleted
[root@server2 configmap]# vim registry.yaml
[root@server2 configmap]# cat registry.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: game2048
image: reg.westos.org/library/game2048:latest
serviceAccountName: admin
#imagePullSecrets:
# - name: myregistrykey
[root@server2 configmap]# kubectl apply -f registry.yaml
pod/mypod created
[root@server2 configmap]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 9s
[root@server2 configmap]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: myregistrykey
Mountable secrets: admin-token-s4hsz
Tokens: admin-token-s4hsz
Events: <none>
[root@server2 configmap]# kubectl describe pod mypod
Name: mypod
Namespace: default
Priority: 0
Node: server3/172.25.12.3
Start Time: Mon, 02 Aug 2021 23:02:56 -0400
Labels: <none>
Annotations: <none>
Status: Running
IP: 10.244.5.70
IPs:
IP: 10.244.5.70
Containers:
game2048:
Container ID: docker://f899636fd2e1af19777fd7f6ae5511f5132c7ffee89ed3781209ee067d25f390
Image: reg.westos.org/library/game2048:latest
Image ID: docker-pullable://reg.westos.org/library/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Port: <none>
Host Port: <none>
State: Running
Started: Mon, 02 Aug 2021 23:03:01 -0400
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9w4kl (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-9w4kl:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 59s default-scheduler Successfully assigned default/mypod to server3
Normal Pulling 58s kubelet Pulling image "reg.westos.org/library/game2048:latest"
Normal Pulled 54s kubelet Successfully pulled image "reg.westos.org/library/game2048:latest" in 3.557909614s
Normal Created 54s kubelet Created container game2048
Normal Started 54s kubelet Started container game2048
[root@server2 configmap]# ls
cm1.yml password.txt pod.yaml test
nginx.conf pod2.yaml registry.yaml username.txt
nginx.yaml pod3.yaml secret.yaml
创建UserAccount
[root@server2 pki]# openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................+++
.........................................+++
e is 65537 (0x10001)
[root@server2 pki]# openssl req -new -key test.key -out test.csr -subj "/CN=test"
[root@server2 pki]# ll test.csr
-rw-r--r-- 1 root root 883 Aug 2 23:07 test.csr
[root@server2 pki]# openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt -days 365
Signature ok
subject=/CN=test
Getting CA Private Key
[root@server2 pki]# kubectl config set-credentials test --client-certificate=/etc/kubernetes/pki/test.crt --client-key=/etc/kubernetes/pki/test.key --embed-certs=true
User "test" set.
[root@server2 pki]# kubectl config set-context test@kubernetes --cluster=kubernetes --user=test
Context "test@kubernetes" created.
[root@server2 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://172.25.12.2:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: test
name: test@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: test
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
通过认证但是没有授权
[root@server2 pki]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@server2 pki]# kubectl get pod
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
RBAC(Role Based Access Control):基于角色访问控制授权。
• RBAC(Role Based Access Control):基于角色访问控制授权。
• 允许管理员通过Kubernetes API动态配置授权策略。RBAC就是用户通过角色
与权限进行关联。
• RBAC只有授权,没有拒绝授权,所以只需要定义允许该用户做什么即可。
• RBAC包括四种类型:Role、ClusterRole、RoleBinding、
ClusterRoleBinding。
• RBAC的三个基本概念 :
• Subject:被作用者,它表示k8s中的三类主体, user, group, serviceAccount
• Role:角色,它其实是一组规则,定义了一组对 Kubernetes API 对象的操作权限。
• RoleBinding:定义了“被作用者”和“角色”的绑定关系。
• Role 和 ClusterRole
• Role是一系列的权限的集合,Role只能授予单个namespace 中资源的访问权限。
• ClusterRole 跟 Role 类似,但是可以在集群中全局使用。
Role示例:
[root@server2 ~]# mkdir roles
[root@server2 ~]# cd roles/
[root@server2 roles]# vim role.yaml
[root@server2 roles]# cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
[root@server2 roles]# kubectl apply -f role.yaml
role.rbac.authorization.k8s.io/myrole created
[root@server2 roles]# kubectl get role
NAME CREATED AT
myrole 2021-08-03T03:18:57Z
[root@server2 roles]# kubectl describe role myrole
Name: myrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get watch list create update patch delete]
• RoleBinding和ClusterRoleBinding
• RoleBinding是将Role中定义的权限授予给用户或用户组。它包含一个
subjects列表(users,groups ,service accounts),并引用该Role。
• RoleBinding是对某个namespace 内授权,ClusterRoleBinding适用在集群
范围内使用。
• RoleBinding示例:
[root@server2 roles]# vim rolebindinf.yaml
[root@server2 roles]# cat rolebindinf.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-read-pods
namespace: default
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: myrole
apiGroup: rbac.authorization.k8s.io
[root@server2 roles]# kubectl apply -f rolebindinf.yaml
rolebinding.rbac.authorization.k8s.io/test-read-pods created
[root@server2 roles]# kubectl get role
NAME CREATED AT
myrole 2021-08-03T03:18:57Z
[root@server2 roles]# kubectl get rolebindings.rbac.authorization.k8s.io
NAME ROLE AGE
test-read-pods Role/myrole 23s
[root@server2 roles]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@server2 roles]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 36m
mypod 1/1 Running 0 19m
web-0 1/1 Running 0 41h
web-1 1/1 Running 0 41h
web-2 1/1 Running 0 41h
[root@server2 roles]# kubectl get pod -n kube-system
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "kube-system"
[root@server2 roles]# kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "test" cannot list resource "namespaces" in API group "" at the cluster scope
• ClusterRole示例:
[root@server2 roles]# vim clusterrole.yaml
[root@server2 roles]# cat clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
[root@server2 roles]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@server2 roles]# kubectl apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/myclusterrole created
[root@server2 roles]# kubectl get clusterrole | grep mycluster
myclusterrole 2021-08-03T03:25:25Z
[root@server2 roles]# vim clusterrole.yaml
[root@server2 roles]# cat clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myclusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "delete", "create", "update"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["services","endpoints"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
[root@server2 roles]# kubectl apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/myclusterrole configured
[root@server2 roles]# ls
clusterrole.yaml rolebindinf.yaml role.yaml
• 使用rolebinding绑定clusterRole:
[root@server2 roles]# vim clusterrolebinding.yaml
[root@server2 roles]# cat clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: clusterrolebinding-myclusterrole
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myclusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: test
[root@server2 roles]# kubectl apply -f clusterrolebinding.yaml
clusterrolebinding.rbac.authorization.k8s.io/clusterrolebinding-myclusterrole created
[root@server2 roles]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@server2 roles]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-7777df944c-4ls4d 1/1 Running 3 9d
coredns-7777df944c-gwxzq 1/1 Running 3 9d
etcd-server2 1/1 Running 3 9d
kube-apiserver-server2 1/1 Running 3 9d
kube-controller-manager-server2 1/1 Running 4 9d
kube-flannel-ds-c4zbw 1/1 Running 0 41h
kube-flannel-ds-mpnj2 1/1 Running 0 41h
kube-flannel-ds-pmpwk 1/1 Running 0 41h
kube-proxy-7fvhx 1/1 Running 0 3d20h
kube-proxy-qsk7n 1/1 Running 0 3d20h
kube-proxy-vvglf 1/1 Running 0 3d20h
kube-scheduler-server2 1/1 Running 4 9d
服务账户的自动化
• 服务账户准入控制器(Service account admission controller)
• 如果该 pod 没有 ServiceAccount 设置,将其 ServiceAccount 设为 default。
• 保证 pod 所关联的 ServiceAccount 存在,否则拒绝该 pod。
• 如果 pod 不包含 ImagePullSecrets 设置,那么 将 ServiceAccount 中的
ImagePullSecrets 信息添加到 pod 中。
• 将一个包含用于 API 访问的 token 的 volume 添加到 pod 中。
• 将挂载于 /var/run/secrets/kubernetes.io/serviceaccount 的 volumeSource
添加到 pod 下的每个容器中。
• Token 控制器(Token controller)
• 检测服务账户的创建,并且创建相应的 Secret 以支持 API 访问。
• 检测服务账户的删除,并且删除所有相应的服务账户 Token Secret。
• 检测 Secret 的增加,保证相应的服务账户存在,如有需要,为 Secret 增加 token。
• 检测 Secret 的删除,如有需要,从相应的服务账户中移除引用。
• 服务账户控制器(Service account controller)
• 服务账户管理器管理各命名空间下的服务账户,并且保证每个活跃的命名空间下存在
一个名为 “default” 的服务账户kubernetes访问控制
• Kubernetes 还拥有“用户组”(Group)的概念:
• ServiceAccount对应内置“用户”的名字是:
• system:serviceaccount:<ServiceAccount名字 >
• 而用户组所对应的内置名字是:
• system:serviceaccounts:<Namespace名字 >
安全策略(PSP)配置
默认情况下,Kubernetes 允许创建一个有特权容器的 Pod,这些容器很可能会危机系统安全,而 Pod 安全策略(PSP)则通过确保请求者有权限按配置来创建 Pod,从而来保护集群免受特权 Pod 的影响。
[root@server2 ~]# mkdir psp
[root@server2 ~]# cd psp/
[root@server2 psp]# ls
[root@server2 psp]#
[root@server2 psp]# vim psp.yaml
[root@server2 psp]# cat psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
hostNetwork: false
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
hostPID: false
hostIPC: false
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'downwardAPI'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'secret'
- 'projected'
allowedCapabilities:
- '*'
[root@server2 psp]# kubectl run demo1 --image=nginx
pod/demo1 created
[root@server2 psp]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo1 1/1 Running 0 8s
[root@server2 psp]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@server2 psp]# kubectl apply -f psp.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/restrictive created
[root@server2 psp]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo1 1/1 Running 0 3m31s
demo2 1/1 Running 0 8s
[root@server2 psp]# kubectl config use-context test@kubernetes
Switched to context "test@kubernetes".
[root@server2 psp]# kubectl run demo3 --image=nginx
pod/demo3 created
[root@server2 psp]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo1 1/1 Running 0 4m36s
demo2 1/1 Running 0 73s
demo3 1/1 Running 0 2s
[root@server2 psp]# kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
controller false RunAsAny MustRunAs MustRunAs MustRunAs true configMap,secret,emptyDir
psp.flannel.unprivileged false NET_ADMIN,NET_RAW RunAsAny RunAsAny RunAsAny RunAsAny false configMap,secret,emptyDir,hostPath
restrictive false * RunAsAny RunAsAny RunAsAny RunAsAny false configMap,downwardAPI,emptyDir,persistentVolumeClaim,secret,projected
speaker true NET_RAW RunAsAny RunAsAny RunAsAny RunAsAny true configMap,secret,emptyDir
[root@server2 psp]# kubectl run demo --image=nginx
pod/demo created
[root@server2 psp]# kubectl get pod
NAME READY STATUS RESTARTS AGE
demo 1/1 Running 0 5s
mypod 1/1 Running 0 3h56m
[root@server2 psp]# kubectl delete psp restricted
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
Error from server (NotFound): podsecuritypolicies.policy "restricted" not found
[root@server2 psp]# kubectl delete psp restrictive
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy "restrictive" deleted
[root@server2 psp]# kubectl get role
NAME CREATED AT
myrole 2021-08-03T03:18:57Z
[root@server2 psp]# kubectl delete pod demo1 demo2 demo3
[root@server2 psp]# vim roles.yaml
[root@server2 psp]# cat roles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp-restrictive
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restrictive
verbs:
- use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp-default
subjects:
- kind: Group
name: system:serviceaccounts
namespace: kube-system
roleRef:
kind: ClusterRole
name: psp-restrictive
apiGroup: rbac.authorization.k8s.io
[root@server2 psp]# kubectl apply -f roles.yaml
clusterrole.rbac.authorization.k8s.io/psp-restrictive created
clusterrolebinding.rbac.authorization.k8s.io/psp-default created
[root@server2 psp]# vim deployment.yaml
[root@server2 psp]# cat deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: myapp:v1
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# name: myapp-deployment
# labels:
# app: myapp
#spec:
# replicas: 3
# selector:
# matchLabels:
# app: myapp
# template:
# metadata:
# labels:
# app: myapp
# spec:
# containers:
# - name: myapp
# image: myapp:v2
#
[root@server2 psp]# kubectl apply -f deployment.yaml
deployment.apps/nginx-deployment created
[root@server2 psp]# kubectl get pod
NAME READY STATUS RESTARTS AGE
mypod 1/1 Running 0 4h5m
nginx-deployment-6456d7c676-82dxk 1/1 Running 0 10s