制作 PodSecurityPolicy 但官方手册不起作用

Question

我尝试在我的 Kubernetes 集群上创建 PodsSecurityPolicy，我从here 获得了官方手册

它不起作用：我在我的 Kubernetes Clute 上完成了所有步骤，但我无法获得 Forbidden 按摩。

我的 Kubernetes 集群：

nks@comp:~$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:58:59Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}

在我的情况下的步骤（我标记了我应该得到禁止消息但没有的地方“（？！）”）：

nks@comp:~$ cat psp.yml 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nksrole
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - example
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nkscrb
roleRef:
  kind: ClusterRole
  name: nksrole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts
---


nks@comp:~$ kubectl apply -f psp.yml
clusterrole.rbac.authorization.k8s.io/nksrole created
clusterrolebinding.rbac.authorization.k8s.io/nkscrb created
nks@comp:~$ kubectl create namespace psp-example
namespace/psp-example created
nks@comp:~$ kubectl create serviceaccount -n psp-example fake-user
serviceaccount/fake-user created
nks@comp:~$ kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
rolebinding.rbac.authorization.k8s.io/fake-editor created
nks@comp:~$ alias kubectl-admin='kubectl -n psp-example'
nks@comp:~$ alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
nks@comp:~$ cat example-psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
nks@comp:~$ kubectl-admin create -f example-psp.yaml
podsecuritypolicy.policy/example created
nks@comp:~$ kubectl-user create -f- <<EOF
> apiVersion: v1
> kind: Pod
> metadata:
>   name:      pause
> spec:
>   containers:
>     - name:  pause
>       image: k8s.gcr.io/pause
> EOF
pod/pause created
nks@comp:~$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
(?!)
nks@comp:~$ kubectl-admin create role psp:unprivileged \
>     --verb=use \
>     --resource=podsecuritypolicy \
>     --resource-name=example
role.rbac.authorization.k8s.io/psp:unprivileged created
nks@comp:~$ kubectl-admin create rolebinding fake-user:psp:unprivileged \
>     --role=psp:unprivileged \
>     --serviceaccount=psp-example:fake-user
rolebinding.rbac.authorization.k8s.io/fake-user:psp:unprivileged created
nks@comp:~$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
nks@comp:~$ kubectl-user create -f- <<EOF
> apiVersion: v1
> kind: Pod
> metadata:
>   name:      privileged
> spec:
>   containers:
>     - name:  pause
>       image: k8s.gcr.io/pause
>       securityContext:
>         privileged: true
> EOF
pod/privileged created
(?!)

请你帮帮我吧！我不知道出了什么问题

Answer 1

您的集群版本是 v1.17.4，功能是 v1.18 中的测试版，请在升级集群后尝试。

还要确保为 Pod 安全策略启用准入控制器，

Answer 2

您需要在admission controller 中启用 PSP 支持

[master]# vi /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.100.50:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.168.100.50
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy ## Added PodSecurityPolicy
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
...

[master]# systemctl restart kubelet

对 PSP 很有用

[master]# kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
  name:      privileged
spec:
  containers:
    - name:  pause
      image: k8s.gcr.io/pause
      securityContext:
        privileged: true
EOF
Error from server (Forbidden): error when creating "STDIN": pods "privileged" is forbidden: unable to validate agains                                                                                                                        t any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers                                                                                                                         are not allowed]

这是我在 Kubernetes v1.18 上的情况 - 我现在无法在 Kuberentes v1.17 上试用