存储资源
唯一的网络IP地址
容器运行需要的配置信息
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: no-privilege
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
要应用新创建的Pod安全策略,使用如下命令:
kubectl apply -f no-privelege.yaml
Podsecurity.policy/no-privilege created
kubectl get psp no-privilege
nano rbac-noprivilege.yaml
首先,一个集群角色(clusterRole)需要被授权它想要的策略(使用use动词)。 然后,把集群角色与授权的用户绑定 。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: no-privilege:no-privilege
rules:
- apiGroups:
- extensions
resources:
- Podsecuritypolicies
resourceNames:
- no-privilege
verbs:
- use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: no-privilege:no-privilege
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: no-privilege:no-privilege
apiGroup: rbac.authorization.k8s.io
kubectl apply -f rbac-noprivilege.yaml
clusterrole.rbac.authorization.k8s.io/no-privilege:no-privilege created
clusterrolebinding.rbac.authorization.k8s.io/no-privilege:no-privilege created
kubectl auth can-i use podsecuritypolicy/no-privilege
kubectl auth can-i use podsecuritypolicy/no-privilege --as-group=system:authenticated --as=any-user
联系客服