diff --git a/.vuepress/config.js b/.vuepress/config.js index 0ff0e95..f37a3ff 100644 --- a/.vuepress/config.js +++ b/.vuepress/config.js @@ -316,7 +316,18 @@ module.exports = { // 'k8s-intermediate/config/secrets/use-cases', // 'k8s-intermediate/config/secrets/best-practices', ] - } + }, + { + title: 'Security Context', + collapsable: true, + children: [ + 'k8s-intermediate/config/sec-ctx/', + // 'k8s-intermediate/config/sec-ctx/pod', + // 'k8s-intermediate/config/sec-ctx/con', + // 'k8s-intermediate/config/sec-ctx/con-cap', + // 'k8s-intermediate/config/sec-ctx/con-sel', + ] + }, ] } ] diff --git a/learning/README.md b/learning/README.md index cdd3c1c..68a872a 100644 --- a/learning/README.md +++ b/learning/README.md @@ -14,9 +14,11 @@ meta: * Kubernetes 初学者 * 学习过 Kubernetes,但在投产过程中仍有诸多疑虑和困惑的技术爱好者 -

- Kubernetes管理界面:Kuboard Logo -

+
+
+ Kubernetes管理界面:Kuboard Logo +
+
## **Kubernetes 体验** * [安装 Kubernetes 单Master节点](/install/install-k8s.html) (30分钟,初学者也许需要更多) @@ -61,13 +63,14 @@ meta: * [数据卷 Volume](/learning/k8s-intermediate/persistent/volume.html) * [存储卷 PV 和存储卷声明 PVC](/learning/k8s-intermediate/persistent/pv.html) * [存储类 StorageClass](/learning/k8s-intermediate/persistent/storage-class.html) - * [自建 NFS 服务](/learning/k8s-intermediate/persistent/nfs.html) + * [自建 NFS 服务](/learning/k8s-intermediate/persistent/nfs.html) * 配置 * [使用 ConfigMap 配置您的应用程序](/learning/k8s-intermediate/config/config-map.html) * [管理容器的计算资源](/learning/k8s-intermediate/config/computing-resource.html) * [将容器调度到指定的节点](/learning/k8s-intermediate/config/assign-pod-node.html) * [污点和容忍 taints and toleration](/learning/k8s-intermediate/config/taints-toleration/) * [Secrets](/learning/k8s-intermediate/config/secrets/) + * [Security Context](/learning/k8s-intermediate/config/sec-ctx/) ## **Kubernetes 高级** diff --git a/learning/k8s-intermediate/config/sec-ctx/con-cap.md b/learning/k8s-intermediate/config/sec-ctx/con-cap.md new file mode 100644 index 0000000..065ff34 --- /dev/null +++ b/learning/k8s-intermediate/config/sec-ctx/con-cap.md @@ -0,0 +1,12 @@ +--- +# vssueId: 64 +layout: LearningLayout +description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文 +meta: + - name: keywords + content: Kubernetes教程,K8S教程,Security Context,SecurityContext +--- + +# 为容器设置Linux Capabilities + +正在撰写... diff --git a/learning/k8s-intermediate/config/sec-ctx/con-sel.md b/learning/k8s-intermediate/config/sec-ctx/con-sel.md new file mode 100644 index 0000000..d6ebe88 --- /dev/null +++ b/learning/k8s-intermediate/config/sec-ctx/con-sel.md @@ -0,0 +1,12 @@ +--- +# vssueId: 64 +layout: LearningLayout +description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文 +meta: + - name: keywords + content: Kubernetes教程,K8S教程,Security Context,SecurityContext +--- + +# 为容器设置SELinux标签 + +正在撰写... diff --git a/learning/k8s-intermediate/config/sec-ctx/con.md b/learning/k8s-intermediate/config/sec-ctx/con.md new file mode 100644 index 0000000..5cc3ecc --- /dev/null +++ b/learning/k8s-intermediate/config/sec-ctx/con.md @@ -0,0 +1,12 @@ +--- +# vssueId: 64 +layout: LearningLayout +description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文 +meta: + - name: keywords + content: Kubernetes教程,K8S教程,Security Context,SecurityContext +--- + +# 为容器设置Security Context + +正在撰写... diff --git a/learning/k8s-intermediate/config/sec-ctx/index.md b/learning/k8s-intermediate/config/sec-ctx/index.md new file mode 100644 index 0000000..c73891a --- /dev/null +++ b/learning/k8s-intermediate/config/sec-ctx/index.md @@ -0,0 +1,38 @@ +--- +vssueId: 108 +layout: LearningLayout +description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文 +meta: + - name: keywords + content: Kubernetes教程,K8S教程,Security Context,SecurityContext +--- + +# 为Pod或Container配置Security Context + +> 参考文档:Kubernetes 官网文档 [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container) + +Security Context(安全上下文)用来限制容器对宿主节点的可访问范围,以避免容器非法操作宿主节点的系统级别的内容,使得节点的系统或者节点上其他容器组受到影响。 + +Security Context可以按照如下几种方式设定: + +* 访问权限控制:是否可以访问某个对象(例如文件)是基于 [userID(UID)和 groupID(GID)](https://wiki.archlinux.org/index.php/users_and_groups) 的 + +* [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux):为对象分配Security标签 + +* 以 privileged(特权)模式运行 + +* [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/):为容器组(或容器)分配一部分特权,而不是 root 用户的所有特权 +* [AppArmor](https://kubernetes.io/docs/tutorials/clusters/apparmor/):自 Kubernetes v1.4 以来,一直处于 beta 状态 +* [Seccomp](https://docs.docker.com/engine/security/seccomp/):过滤容器中进程的系统调用(system call) +* AllowPrivilegeEscalation(允许特权扩大):此项配置是一个布尔值,定义了一个进程是否可以比其父进程获得更多的特权,直接效果是,容器的进程上是否被设置 [no_new_privs](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) 标记。当出现如下情况时,AllowPrivilegeEscalation 的值始终为 true: + * 容器以 privileged 模式运行 + * 容器拥有 CAP_SYS_ADMIN 的 Linux Capability + +如需要了解更多关于 Linux 安全机制方面的信息,请参考 [Overview Of Linux Kernel Security Features](https://www.linux.com/tutorials/overview-linux-kernel-security-features/) + +本文从以下几个方面介绍如何在 Kubernetes 中配置 Security Context + +* [为Pod设置Security Context](./pod.html) +* [为容器设置Security Context](./con.html) +* [为容器设置Linux Capabilities](./con-cap.html) +* [为容器设置SELinux标签](./con-sel.html) diff --git a/learning/k8s-intermediate/config/sec-ctx/pod.md b/learning/k8s-intermediate/config/sec-ctx/pod.md new file mode 100644 index 0000000..dcfa6b9 --- /dev/null +++ b/learning/k8s-intermediate/config/sec-ctx/pod.md @@ -0,0 +1,12 @@ +--- +# vssueId: 64 +layout: LearningLayout +description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文 +meta: + - name: keywords + content: Kubernetes教程,K8S教程,Security Context,SecurityContext +--- + +# 为Pod设置Security Context + +正在撰写...