kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
website/content/zh-cn/docs/tutorials/security/ns-level-pss.md

258 lines
8.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: 在名字空间级别应用 Pod 安全标准
content_type: tutorial
weight: 20
---
<!--
title: Apply Pod Security Standards at the Namespace Level
content_type: tutorial
weight: 20
-->
{{% alert title="Note" %}}
<!--
This tutorial applies only for new clusters.
-->
本教程仅适用于新集群。
{{% /alert %}}
<!--
Pod Security Admission is an admission controller that applies
[Pod Security Standards](/docs/concepts/security/pod-security-standards/)
when pods are created. It is a feature GA'ed in v1.25.
In this tutorial, you will enforce the `baseline` Pod Security Standard,
one namespace at a time.
You can also apply Pod Security Standards to multiple namespaces at once at the cluster
level. For instructions, refer to
[Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/).
-->
Pod Security Admission 是一个准入控制器,在创建 Pod 时应用 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)。
这是在 v1.25 中达到正式发布GA的功能。
在本教程中,你将应用 `baseline` Pod 安全标准,每次一个名字空间。
你还可以在集群级别一次将 Pod 安全标准应用于多个名称空间。
有关说明,请参阅[在集群级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/cluster-level-pss/)。
## {{% heading "prerequisites" %}}
<!--
Install the following on your workstation:
- [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
- [kubectl](/docs/tasks/tools/)
-->
在你的工作站中安装以下内容:
- [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
- [kubectl](/zh-cn/docs/tasks/tools/)
<!--
## Create cluster
1. Create a `kind` cluster as follows:
-->
## 创建集群 {#create-cluster}
2. 按照如下方式创建一个 `kind` 集群:
```shell
kind create cluster --name psa-ns-level
```
<!--
The output is similar to this:
-->
输出类似于:
```
Creating cluster "psa-ns-level" ...
✓ Ensuring node image (kindest/node:v{{< skew currentPatchVersion >}}) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-psa-ns-level"
You can now use your cluster with:
kubectl cluster-info --context kind-psa-ns-level
Not sure what to do next? 😅 Check out https://kind.sigs.k8s.io/docs/user/quick-start/
```
<!--
1. Set the kubectl context to the new cluster:
-->
1. 将 kubectl 上下文设置为新集群:
```shell
kubectl cluster-info --context kind-psa-ns-level
```
<!--
The output is similar to this:
-->
输出类似于:
```
Kubernetes control plane is running at https://127.0.0.1:50996
CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
```
<!--
## Create a namespace
Create a new namespace called `example`:
-->
## 创建名字空间 {#create-a-namespace}
创建一个名为 `example` 的新名字空间:
```shell
kubectl create ns example
```
<!--
The output is similar to this:
-->
输出类似于:
```
namespace/example created
```
<!--
## Enable Pod Security Standards checking for that namespace
1. Enable Pod Security Standards on this namespace using labels supported by
built-in Pod Security Admission. In this step you will configure a check to
warn on Pods that don't meet the latest version of the _baseline_ pod
security standard.
-->
## 为该命名空间启用 Pod 安全标准检查 {#enable-pod-security-standards-checking-for-that-namespace}
1. 使用内置 Pod 安全准入所支持的标签在此名字空间上启用 Pod 安全标准。
在这一步中,我们将根据最新版本(默认值)对基线 Pod 安全标准发出警告。
```shell
kubectl label --overwrite ns example \
pod-security.kubernetes.io/warn=baseline \
pod-security.kubernetes.io/warn-version=latest
```
<!--
2. You can configure multiple pod security standard checks on any namespace, using labels.
The following command will `enforce` the `baseline` Pod Security Standard, but
`warn` and `audit` for `restricted` Pod Security Standards as per the latest
version (default value)
-->
1. 你可以使用标签在任何名字空间上配置多个 Pod 安全标准检查。
以下命令将强制(`enforce` 执行基线(`baseline`Pod 安全标准,
但根据最新版本(默认值)对受限(`restricted`Pod 安全标准执行警告(`warn`)和审核(`audit`)。
```shell
kubectl label --overwrite ns example \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/enforce-version=latest \
pod-security.kubernetes.io/warn=restricted \
pod-security.kubernetes.io/warn-version=latest \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/audit-version=latest
```
<!--
## Verify the Pod Security Standard enforcement
1. Create a baseline Pod in the `example` namespace:
-->
## 验证 Pod 安全标准 {#verify-the-pod-security-standards}
1.`example` 名字空间中创建一个基线 Pod
```shell
kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml
```
<!--
The Pod does start OK; the output includes a warning. For example:
-->
Pod 确实启动正常;输出包括一条警告信息。例如:
```
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/nginx created
```
<!--
1. Create a baseline Pod in the `default` namespace:
-->
1.`default` 名字空间中创建一个基线 Pod
```shell
kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml
```
<!--
Output is similar to this:
-->
输出类似于:
```
pod/nginx created
```
<!--
The Pod Security Standards enforcement and warning settings were applied only
to the `example` namespace. You could create the same Pod in the `default`
namespace with no warnings.
-->
Pod 安全标准实施和警告设置仅被应用到 `example` 名字空间。
以上 Pod 安全标准仅被应用到 `example` 名字空间。
你可以在没有警告的情况下在 `default` 名字空间中创建相同的 Pod。
<!--
## Clean up
Now delete the cluster which you created above by running the following command:
-->
## 清理 {#clean-up}
现在通过运行以下命令删除你上面创建的集群:
```shell
kind delete cluster --name psa-ns-level
```
## {{% heading "whatsnext" %}}
<!--
- Run a
[shell script](/examples/security/kind-with-namespace-level-baseline-pod-security.sh)
to perform all the preceding steps all at once.
1. Create kind cluster
2. Create new namespace
3. Apply `baseline` Pod Security Standard in `enforce` mode while applying
`restricted` Pod Security Standard also in `warn` and `audit` mode.
4. Create a new pod with the following pod security standards applied
- [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
- [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
- [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/)
-->
- 运行一个 [shell 脚本](/examples/security/kind-with-namespace-level-baseline-pod-security.sh)
一次执行所有前面的步骤。
1. 创建 kind 集群
2. 创建新的名字空间
3.`enforce` 模式下应用 `baseline` Pod 安全标准,
同时在 `warn``audit` 模式下应用 `restricted` Pod 安全标准。
4. 创建一个应用以下 Pod 安全标准的新 Pod
- [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)
- [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
- [在集群级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/cluster-level-pss/)
Reference in New Issue View Git Blame Copy Permalink