k8s PodSecurityPolicy.删除除一个之外的所有功能

Question

我想要构建一个pod安全策略，其中我放弃了所有的功能，然后只启用CHOWN。

问题是，"requiredDropCapabilities: ALL“似乎是主要规则，如果我将其配置为所有人，那么我就无法使用AllowedCapabilities或DefaultAddCapabilities添加单独的功能。

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

RequiredDropCapabilities -必须从容器中丢弃的功能。这些功能将从默认集中删除，不能添加。RequiredDropCapabilities中列出的功能不能包含在AllowedCapabilities或DefaultAddCapabilities中

除了一个之外，我怎么能拒绝所有的功能？

-编辑

这就是我的例子：

PodSecurityPolicy：

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: a-pot-root
spec:
  allowPrivilegeEscalation: false
  forbiddenSysctls:
  - '*'
  allowedCapabilities:
  - CHOWN
  requiredDropCapabilities:
  - ALL
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

然后在容器中没有CHOWN功能：

root@hellonode-6d654c57b8-b8hz8:/app# capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=1(daemon)

谢谢。

Answer 1

我所做的是注释"- ALL"，添加默认如这里所记载的允许的所有“功能选项”，并注释我不需要的功能。

警告:我原以为我只需要CHOWN，但最后我需要更多。

  requiredDropCapabilities:
    # - ALL               # Drop all the usual capabilities
    - SETPCAP               # Modify process capabilities.
    - MKNOD               # Create special files using mknod(2).
    - AUDIT_WRITE           # Write records to kernel auditing log.
    # - CHOWN               # Make arbitrary changes to file UIDs and GIDs (see chown(2)).
    - NET_RAW               # Use RAW and PACKET sockets.
    # - DAC_OVERRIDE        # Bypass file read, write, and execute permission checks.
    # - FOWNER            # Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
    - FSETID                # Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
    - KILL                # Bypass permission checks for sending signals.
    # - SETGID            # Make arbitrary manipulations of process GIDs and supplementary GID list.
    # - SETUID            # Make arbitrary manipulations of process UIDs.
    - NET_BIND_SERVICE    # Bind a socket to internet domain privileged ports (port numbers less than 1024).
    - SYS_CHROOT            # Use chroot(2), change root directory.
    - SETFCAP               # Set file capabilities

希望能帮上忙。我在寻找答案，但首先发现了你的问题:)