我有带有 kubernetes 版本 1.23 的 AKS。我想通过通过AdmissionConfiguration进行设置来激活集群级别的podsecurity,如下所述:
https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/
正如我所读到的,“PodSecurity 功能门”在 kubernetes 版本 1.23 上默认启用。我已经根据链接上显示的配置创建了一个 yaml 文件,但是当我应用它时,出现以下错误:
$ k create -f podsecurity.yaml
error: unable to recognize "podsecurity.yaml": no matches for kind "AdmissionConfiguration" in version "apiserver.config.k8s.io/v1"
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5",
GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5",
GitCommit:"8211ae4d6757c3fedc53cd740d163ef65287276a", GitTreeState:"clean", BuildDate:"2022-03-31T20:28:03Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
我用谷歌搜索了很多,但找不到解决方案或它导致的原因。
如果有人可以提供帮助,我将不胜感激。
我可以在名称空间级别激活它,如下所示: https: //kubernetes.io/docs/tutorials/security/ns-level-pss/ 通过在名称空间下添加标签,但是我想在集群级别激活它但它不起作用。
在我的 POD 中,我想使用 securityContext 将所有容器限制为只读文件系统
:readOnlyRootFilesystem: true
示例(注意:为简洁起见,减少了 yaml)
apiVersion: v1
kind: Pod
metadata:
labels:
run: server123
name: server123
spec:
securityContext:
readOnlyRootFilesystem: true
containers:
- image: server1-image
name: server1
- image: server2-image
name: server2
- image: server3-image
name: server3
这将导致:
错误:验证“server123.yaml”时出错:验证数据时出错:ValidationError(Pod.spec.securityContext):io.k8s.api.core.v1.PodSecurityContext 中的未知字段“readOnlyRootFilesystem”;如果您选择忽略这些错误,请使用 --validate=false 关闭验证
相反,我必须配置为:
apiVersion: v1
kind: Pod
metadata:
labels:
run: server123
name: server123
spec:
containers:
- image: server1-image
name: server1
securityContext:
readOnlyRootFilesystem: true
- image: server2-image
name: server2
securityContext:
readOnlyRootFilesystem: true
- image: server3-image
name: server3
securityContext:
readOnlyRootFilesystem: …