kubernetes - 制定PodSecurityPolicy但官方手册不起作用

Question

我试图在我的Kubernetes集群上制定PodsSecurityPolicy，并从here获得了官方手册
不起作用:我在Kubernetes Cluter上进行了所有操作，但无法获得禁止按摩。
我的Kubernetes集群:

nks@comp:~$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:58:59Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}

在我的案例中的步骤(我在“(？!)”处标记了应该获得禁止消息的位置，但没有):

nks@comp:~$ cat psp.yml 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nksrole
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - example
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nkscrb
roleRef:
  kind: ClusterRole
  name: nksrole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts
---


nks@comp:~$ kubectl apply -f psp.yml
clusterrole.rbac.authorization.k8s.io/nksrole created
clusterrolebinding.rbac.authorization.k8s.io/nkscrb created
nks@comp:~$ kubectl create namespace psp-example
namespace/psp-example created
nks@comp:~$ kubectl create serviceaccount -n psp-example fake-user
serviceaccount/fake-user created
nks@comp:~$ kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
rolebinding.rbac.authorization.k8s.io/fake-editor created
nks@comp:~$ alias kubectl-admin='kubectl -n psp-example'
nks@comp:~$ alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
nks@comp:~$ cat example-psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
nks@comp:~$ kubectl-admin create -f example-psp.yaml
podsecuritypolicy.policy/example created
nks@comp:~$ kubectl-user create -f- <<EOF
> apiVersion: v1
> kind: Pod
> metadata:
>   name:      pause
> spec:
>   containers:
>     - name:  pause
>       image: k8s.gcr.io/pause
> EOF
pod/pause created
nks@comp:~$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
(?!)
nks@comp:~$ kubectl-admin create role psp:unprivileged \
>     --verb=use \
>     --resource=podsecuritypolicy \
>     --resource-name=example
role.rbac.authorization.k8s.io/psp:unprivileged created
nks@comp:~$ kubectl-admin create rolebinding fake-user:psp:unprivileged \
>     --role=psp:unprivileged \
>     --serviceaccount=psp-example:fake-user
rolebinding.rbac.authorization.k8s.io/fake-user:psp:unprivileged created
nks@comp:~$ kubectl-user auth can-i use podsecuritypolicy/example
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
yes
nks@comp:~$ kubectl-user create -f- <<EOF
> apiVersion: v1
> kind: Pod
> metadata:
>   name:      privileged
> spec:
>   containers:
>     - name:  pause
>       image: k8s.gcr.io/pause
>       securityContext:
>         privileged: true
> EOF
pod/privileged created
(?!)

你能帮我吗!我不知道怎么了

Answer 1

集群版本为v1.17.4，功能为v1.18中的beta，请在升级集群后尝试。
还要确保为Pod安全策略启用了准入 Controller ，