k8s安全07--使用AppArmor限制容器访问资源
k8s安全07--使用AppArmor限制容器访问资源1 介绍2 操作案例2.1 apparmor 基础命令2.2 通过AppArmor 限制pod访问的资源3 注意事项4 说明1 介绍AppArmor is a kernel enhancement to confine programs to a limited set of resources. AppArmor’s unique secur
k8s安全07--使用AppArmor限制容器访问资源
1 介绍
AppArmor is a kernel enhancement to confine programs to a limited set of resources. AppArmor’s unique security model is to bind access control attributes to programs rather than to users.
AppArmor confinement is provided via profiles loaded into the kernel via apparmor_parser(8), typically through the /etc/init.d/apparmor SysV initscript, which is used like this: /etc/init.d/apparmor start
| stop | restart
2 操作案例
2.1 apparmor 基础命令
查看使用方法
# man apparmor
查看
# apparmor_status | grep your_
# cd /etc/apparmor.d
# apparmor_parser -q your_profile_file
# apparmor_status | grep your_profile_name
2.2 通过AppArmor 限制pod访问的资源
1 创建 profile
cd /etc/apparmor.d
vim k8s-apparmor-example-deny-write
#include <tunables/global>
profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
2 启动 profile
# apparmor_parser k8s-apparmor-example-deny-write
# apparmor_status |grep k8s
k8s-apparmor-example-deny-write
3 新增pod配置
$ wget https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/security/hello-apparmor.yaml
$ cat hello-apparmor.yaml
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
$ kubectl apply -f hello-apparmor.yaml
pod/hello-apparmor created
4 测试deny write 配置
$ kubectl exec hello-apparmor -- cat /proc/1/attr/current
k8s-apparmor-example-deny-write (enforce)
$ kubectl exec hello-apparmor -- touch /apparmor.txt
touch: /apparmor.txt: Permission denied
command terminated with exit code 1
3 注意事项
- 更多使用说明请参考 man apparmor
- k8s 中使用格式说明
container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref> container_name 对应的是具体的容器名称,可以直接填写pod名称; profile_ref一般为 localhost/k8s-apparmor-example-deny-write(/etc/apparmor.d 下的profile 名称) 由于不确定pod为在哪个节点上,因此需要将profile配置到所有节点上,并启动该配置
4 说明
Restrict a Container’s Access to Resources with AppArmor
docs/tutorials/clusters/apparmor/
docs.docker.com/engine/security/apparmor/
更多推荐
所有评论(0)