- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我试图在我的Kubernetes集群上制定PodsSecurityPolicy,并从here获得了官方手册
不起作用:我在Kubernetes Cluter上进行了所有操作,但无法获得禁止按摩。
我的Kubernetes集群:
nks@comp:~$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:58:59Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
在我的案例中的步骤(我在“(?!)”处标记了应该获得禁止消息的位置,但没有):
nks@comp:~$ cat psp.yml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nksrole
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- example
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nkscrb
roleRef:
kind: ClusterRole
name: nksrole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:serviceaccounts
---
nks@comp:~$ kubectl apply -f psp.yml
clusterrole.rbac.authorization.k8s.io/nksrole created
clusterrolebinding.rbac.authorization.k8s.io/nkscrb created
nks@comp:~$ kubectl create namespace psp-example
namespace/psp-example created
nks@comp:~$ kubectl create serviceaccount -n psp-example fake-user
serviceaccount/fake-user created
nks@comp:~$ kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
rolebinding.rbac.authorization.k8s.io/fake-editor created
nks@comp:~$ alias kubectl-admin='kubectl -n psp-example'
nks@comp:~$ alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
nks@comp:~$ cat example-psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
nks@comp:~$ kubectl-admin create -f example-psp.yaml
podsecuritypolicy.policy/example created
nks@comp:~$ kubectl-user create -f- <<EOF
> apiVersion: v1
> kind: Pod
> metadata:
> name: pause
> spec:
> containers:
> - name: pause
> image: k8s.gcr.io/pause
> EOF
pod/pause created
nks@comp:~$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
(?!)
nks@comp:~$ kubectl-admin create role psp:unprivileged \
> --verb=use \
> --resource=podsecuritypolicy \
> --resource-name=example
role.rbac.authorization.k8s.io/psp:unprivileged created
nks@comp:~$ kubectl-admin create rolebinding fake-user:psp:unprivileged \
> --role=psp:unprivileged \
> --serviceaccount=psp-example:fake-user
rolebinding.rbac.authorization.k8s.io/fake-user:psp:unprivileged created
nks@comp:~$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
nks@comp:~$ kubectl-user create -f- <<EOF
> apiVersion: v1
> kind: Pod
> metadata:
> name: privileged
> spec:
> containers:
> - name: pause
> image: k8s.gcr.io/pause
> securityContext:
> privileged: true
> EOF
pod/privileged created
(?!)
你能帮我吗!我不知道怎么了
最佳答案
集群版本为v1.17.4,功能为v1.18中的beta,请在升级集群后尝试。
还要确保为Pod安全策略启用了准入 Controller ,
关于kubernetes - 制定PodSecurityPolicy但官方手册不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63233681/
目录 一.系统环境 二.前言 三.PodSecurityPolicy 简介 四.为什么需要 PodSecurityPolicy 五.给客户端授权 六.启用P
我想构建一个Pod安全策略,在其中删除所有功能,然后仅启用CHOWN。 问题是,似乎“requiredDropCapabilities:ALL”是主要规则,如果将其配置为ALL,则无法使用Allowe
我尝试使用 kubeadm 在 ubuntu 16.04 上安装的 1.10.1 集群上设置 PodSecurityPolicy,并按照 https://kubernetes.io/docs/conc
我在 minikube 中启用了 podsecuritypolicy。默认情况下,它创建了两个 psp - 特权和受限。 NAME PRIV CAPS SELINUX
K8s 文档有一个受限 PodSecurityPolicy 的例子: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#e
PodSecurityPolicy documentation 中的第二个示例策略包含以下 PodSecurityPolicy 片段 ... spec: privileged: false #
kubernetes PodSecurityPolicy 设置为 runAsNonRoot,pods 没有开始发布,出现错误错误:容器具有 runAsNonRoot 并且图像具有非数字用户(appus
我是一名优秀的程序员,十分优秀!