0

如何禁用 exec shell(shell/bash 提示符),使用户无法以 root 用户身份进入正在运行的容器?

4

2 回答 2

0

如果您在生产环境中运行 weave 范围,您可能需要限制 2 个主要内容:

1、K8s worker节点shell访问和Pods shell访问

为了禁用控件,编织范围提供了开箱即用的解决方案,"--probe.no-controls=true"您需要将探针作为启动参数传递给您的weave-scope-agent

最终文件将如下所示:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: weave-scope-agent
  labels:
    name: weave-scope-agent
    app: weave-scope
    weave-cloud-component: scope
    weave-scope-component: agent
  namespace: weave
spec:
  minReadySeconds: 5
  selector:
    matchLabels:
      app: weave-scope
  template:
    metadata:
      labels:
        name: weave-scope-agent
        app: weave-scope
        weave-cloud-component: scope
        weave-scope-component: agent
    spec:
      containers:
        - name: scope-agent
          args:
            - '--probe.no-controls=true'
            - '--weave=false'
            - '--mode=probe'
            - '--probe-only'
            - '--probe.kubernetes.role=host'
            - '--probe.docker.bridge=docker0'
            - '--probe.docker=true'
            - 'weave-scope-app.weave.svc.cluster.local.:80'
          image: weaveworks/scope:1.11.2
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
          securityContext:
            privileged: true
          volumeMounts:
            - name: docker-socket
              mountPath: /var/run/docker.sock
            - name: scope-plugins
              mountPath: /var/run/scope/plugins
            - name: sys-kernel-debug
              mountPath: /sys/kernel/debug
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      hostPID: true
      tolerations:
        - effect: NoSchedule
          operator: Exists
      volumes:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
        - name: scope-plugins
          hostPath:
            path: /var/run/scope/plugins
        - name: sys-kernel-debug
          hostPath:
            path: /sys/kernel/debug
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1

请注意,我正在使用--weave=false标志,因为我没有在我的 K8s 集群中使用 weave 作为 CNI,如果您使用的是 weave CNI,请不要传递此标志,否则可能会出现其他明智的意外行为。

2. Pods 删除权限

要禁止 weave 用户删除 pod,您需要使用一些 RBAC 规则。在 RBAC 中允许podpod/logs并禁用删除动词。这样做,用户将能够看到 pod 和 pod 日志,但他们将能够删除 pod。

最终的 RBAC 文件将如下所示:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    name: weave-scope
  name: weave-scope
  namespace: weave
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  - replicationcontrollers
  - services
  - nodes
  - persistentvolumes
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
#- apiGroups:
#  - ""
#  resources:
#  - pods
#  verbs:
#  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - deployments/scale
  verbs:
  - update
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - list
  - watch
- apiGroups:
  - extensions
  resourceNames:
  - weave-scope
  resources:
  - podsecuritypolicies
  verbs:
  - use
- apiGroups:
  - volumesnapshot.external-storage.k8s.io
  resources:
  - volumesnapshots
  - volumesnapshotdatas
  verbs:
  - list
  - watch
于 2019-06-28T19:53:30.417 回答
0

您应该使用 RBAC 授权。

创建一个角色而不授予对“pod/exec”子资源的访问权限。IE

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]

因此,绑定到此角色的所有用户/服务帐户将无法进入特定命名空间内的 pod。

于 2019-03-14T09:06:01.883 回答