0 
minikube start
--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
--addons=pod-security-policy

我们有一个默认命名空间,其中 nginx 服务帐户无权启动 nginx 容器

创建 pod 时,使用命令

kubectl run nginx --image=nginx -n default --as system:serviceaccount:default:nginx-sa

结果,我们得到一个错误

 Error: container has runAsNonRoot and image will run as root (pod: "nginx_default(49e939b0-d238-4e04-a122-43f4cfabea22)", container: nginx)

据我了解,有必要编写一个允许 nginx-sa 服务帐户运行的 psp 策略,但我不明白如何为特定服务帐户正确编写它

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-sa
  namespace: default

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nginx-sa-role
  namespace: default
rules:
  - apiGroups: ["extensions", "apps",""]
    resources: [ "deployments","pods" ]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nginx-sa-role-binding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: nginx-sa
    namespace: default
roleRef:
  kind: Role
  name: nginx-sa-role
  apiGroup: rbac.authorization.k8s.io
4

1 回答 1

2

...but I do not understand how to write it correctly for a specific service account

在你为你的 nginx 准备好你的特殊 psp 后,你可以像这样授予你的 nginx-sa 使用特殊 psp:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-to-use-special-psp
rules:
- apiGroups:
  - policy
  resourceNames:
  - special-psp-for-nginx
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-to-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-to-use-special-psp
subjects:
- kind: ServiceAccount
  name: nginx-sa
  namespace: default
于 2022-02-04T16:11:49.410 回答