Policy Controller 附带默认的限制条件模板库,您可以将该库与 CIS 包搭配使用,以根据 CIS Kubernetes 基准 v1.5.1 审核集群的合规性。此基准是一系列关于配置 Kubernetes 以支持可靠的安全状况的建议。
本页面适用于想要提供并维护自动化以进行审核或强制执行,从而确保云平台中运行的所有资源满足组织合规性要求的 IT 管理员和运维人员。如需详细了解我们在 Google Cloud 内容中提及的常见角色和示例任务,请参阅常见的 GKE Enterprise 用户角色和任务。
此限制条件软件包在以下网域中处理并强制执行政策:
- RBAC 和服务账号
- Pod 安全政策
- 网络政策和 CNI
- 密文管理
- 常规政策
CIS Kubernetes v1.5.1 政策包限制条件
| 限制条件名称 | 对照组说明 | 控制 ID |
|---|---|---|
| cis-k8s-v1.5.1-restrict-clusteradmin-rolebindings.yaml | 限制使用“cluster-admin”角色 | 5.1.1 |
| cis-k8s-v1.5.1-prohibit-role-wildcard-access.yaml | 限制在“Roles”和“ClusterRoles”中使用通配符 | 5.1.3 |
| cis-k8s-v1.5.1-psp-privileged-container.yaml | 尽可能减少特权容器的准许 | 5.2.1 |
| cis-k8s-v1.5.1-psp-host-namespace.yaml | 尽可能减少希望共享主机进程 ID 命名空间的容器的准许 | 5.2.2 |
| 尽可能减少希望共享主机 IPC 命名空间的容器的准许 | 5.2.3 | |
| cis-k8s-v1.5.1-psp-host-network-ports | 尽可能减少希望共享主机网络命名空间的容器的准许 | 5.2.4 |
| cis-k8s-v1.5.1-psp-allow-privilege-escalation-container | 尽可能减少具有 allowPrivilegeEscalation 的容器的准许 | 5.2.5 |
| cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot | 尽可能减少根容器的准许 | 5.2.6 |
| cis-k8s-v1.5.1-psp-capabilities | 尽可能减少具有 NET_RAW 功能的容器的准许 | 5.2.7 |
| 尽可能减少具有附加功能的容器的准许 | 5.2.8 | |
| 尽可能减少具有分配的功能的容器的准许 | 5.2.9 | |
| cis-k8s-v1.5.1-require-namespace-network-policies | 确保所有命名空间都定义了网络政策 | 5.3.2 |
| cis-k8s-v1.5.1-no-secrets-as-env-vars | 优先将 Secret 用作文件而不是用作环境变量 | 5.4.1 |
| cis-k8s-v1.5.1-psp-seccomp-default | 确保在 Pod 定义中将 seccomp 配置文件设置为 `docker/default` | 5.7.2 |
| cis-k8s-v1.5.1-pods-require-security-context | 将安全上下文应用到您的 Pod 和容器 | 5.7.3 |
须知事项
- 安装并初始化 Google Cloud CLI,它提供了以下说明中使用的
gcloud和kubectl命令。如果您使用 Cloud Shell,则系统会预安装 Google Cloud CLI。 - 在集群上安装 Policy Controller 以及默认的限制条件模板库。您还必须启用对参照限制条件的支持,因为此包包含参照限制条件。
为参照限制条件配置政策控制器
在文件中,将以下 YAML 清单保存为
policycontroller-config.yaml。此清单将 Policy Controller 配置为监视特定种类的对象。apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: "gatekeeper-system" spec: sync: syncOnly: - group: "" version: "v1" kind: "Namespace" - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy"应用
policycontroller-config.yaml清单:kubectl apply -f policycontroller-config.yaml
审核 CIS Kubernetes v1.5.1 政策包
政策控制器允许您为 Kubernetes 集群强制执行政策。为了帮助测试您的工作负载及其对上表中列出的 CIS 政策的合规性,您可以在“审核”模式下部署这些限制条件以发现违规行为,更重要的是让您有机会在 Kubernetes 集群上强制执行之前处理这些违规行为。
您可以在 spec.enforcementAction 设置为 dryrun 的情况下,使用 kubectl、kpt 或 Config Sync 应用这些政策。
kubectl
(可选)使用 kubectl 预览政策限制条件:
kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1
使用 kubectl 应用政策限制条件:
kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1
输出如下所示:
k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-k8s-v1.5.1-no-secrets-as-env-vars created k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-allow-privilege-escalation created k8spspallowedusers.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot created k8spspcapabilities.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-capabilities created k8spsphostnamespace.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-namespace created k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-network-ports created k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-privileged-container created k8spspseccomp.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-seccomp-default created k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-k8s-v1.5.1-pods-require-security-context created k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-k8s-v1.5.1-prohibit-role-wildcard-access created k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-k8s-v1.5.1-require-namespace-network-policies created k8srestrictrolebindings.constraints.gatekeeper.sh/cis-k8s-v1.5.1-restrict-clusteradmin-rolebindings created
验证政策限制条件是否已安装,并检查集群中是否存在违规行为:
kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1
输出类似于以下内容:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-k8s-v1.5.1-no-secrets-as-env-vars dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-allow-privilege-escalation dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspallowedusers.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspcapabilities.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-capabilities dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnamespace.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-namespace dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-network-ports dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-privileged-container dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspseccomp.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-seccomp-default dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-k8s-v1.5.1-pods-require-security-context dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-k8s-v1.5.1-prohibit-role-wildcard-access dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-k8s-v1.5.1-require-namespace-network-policies dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictrolebindings.constraints.gatekeeper.sh/cis-k8s-v1.5.1-restrict-clusteradmin-rolebindings dryrun 0
kpt
安装并设置 kpt。在这些说明中,kpt 用于自定义和部署 Kubernetes 资源。
使用 kpt 从 GitHub 下载 CIS 政策包:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1
运行
set-enforcement-actionkpt 函数将政策的违规处置措施设置为dryrun:kpt fn eval cis-k8s-v1.5.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
使用 kpt 初始化工作目录,此操作会创建一个资源来跟踪更改:
cd cis-k8s-v1.5.1 kpt live init
使用 kpt 应用政策限制条件:
kpt live apply
输出如下所示:
k8spspseccomp.constraints.gatekeeper.sh/psp-seccomp-docker-default created k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/pods-require-security-context created k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/prohibit-role-wildcard-access created k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/require-namespace-network-policies created k8snoenvvarsecrets.constraints.gatekeeper.sh/no-secrets-as-env-vars created k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-allow-privilege-escalation-container created k8spspallowedusers.constraints.gatekeeper.sh/psp-pods-must-run-as-nonroot created k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-host-network-ports created k8srestrictrolebindings.constraints.gatekeeper.sh/restrict-clusteradmin-rolebindings created k8spspcapabilities.constraints.gatekeeper.sh/psp-capabilities created k8spsphostnamespace.constraints.gatekeeper.sh/psp-host-namespace created k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-privileged-container created 13 resource(s) applied. 13 created, 0 unchanged, 0 configured, 0 failed
验证政策限制条件是否已安装,并检查集群中是否存在违规行为:
kpt live status --output table --poll-until current
状态为
CURRENT,即确认限制条件成功安装。
Config Sync
- 安装并设置 kpt。在这些说明中,kpt 用于自定义和部署 Kubernetes 资源。
使用 Config Sync 将政策部署到其集群的运维人员可以按照以下说明操作:
更改为 Config Sync 的同步目录:
cd SYNC_ROOT_DIR
创建
resourcegroup.yaml或将其附加到.gitignore:echo resourcegroup.yaml >> .gitignore
创建一个专用的
policies目录:mkdir -p policies
使用 kpt 从 GitHub 下载 CIS 政策包:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1 policies/cis-k8s-v1.5.1
运行
set-enforcement-actionkpt 函数将政策的强制执行操作设置为dryrun:kpt fn eval policies/cis-k8s-v1.5.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
(可选)预览待创建的政策限制条件:
kpt live init policies/cis-k8s-v1.5.1 kpt live apply --dry-run policies/cis-k8s-v1.5.1
输出如下所示:
Dry-run strategy: client inventory update started inventory update finished apply phase started k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-k8s-v1.5.1-no-secrets-as-env-vars apply successful k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-allow-privilege-escalation apply successful k8spspallowedusers.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot apply successful k8spspcapabilities.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-capabilities apply successful k8spsphostnamespace.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-namespace apply successful k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-network-ports apply successful k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-privileged-container apply successful k8spspseccomp.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-seccomp-default apply successful k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-k8s-v1.5.1-pods-require-security-context apply successful k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-k8s-v1.5.1-prohibit-role-wildcard-access apply successful k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-k8s-v1.5.1-require-namespace-network-policies apply successful k8srestrictrolebindings.constraints.gatekeeper.sh/cis-k8s-v1.5.1-restrict-clusteradmin-rolebindings apply successful apply phase finished inventory update started inventory update finished apply result: 12 attempted, 12 successful, 0 skipped, 0 failed
如果 Config Sync 的同步目录使用 Kustomize,请将
policies/cis-k8s-v1.5.1添加到根kustomization.yaml。 否则,请移除policies/cis-k8s-v1.5.1/kustomization.yaml文件:rm SYNC_ROOT_DIR/policies/cis-k8s-v1.5.1/kustomization.yaml
将更改推送到 Config Sync 代码库:
git add SYNC_ROOT_DIR/policies/cis-k8s-v1.5.1 git commit -m 'Adding CIS policy audit enforcement' git push
验证安装状态:
watch gcloud beta container fleet config-management status --project PROJECT_ID
状态
SYNCED用于确认政策的安装情况。
查看违规问题
在审核模式下安装政策限制条件后,您可以使用政策控制器信息中心在界面中查看集群的违规问题。
您还可以使用 kubectl 来通过以下命令查看针对集群的违规行为:
kubectl get constraint -l policycontroller.gke.io/bundleName=cis-k8s-v1.5.1 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
如果存在违规行为,您可以使用以下命令查看每个限制条件的违规消息列表:
kubectl get constraint -l policycontroller.gke.io/bundleName=cis-k8s-v1.5.1 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
更改 CIS Kubernetes v1.5.1 政策包违规处置措施
查看集群上的政策违规情况后,您可以考虑更改强制执行模式,以便准入控制器发出 warn,甚至 deny 屏蔽不合规资源应用于集群。
kubectl
使用 kubectl 将政策的强制执行操作设置为
warn:kubectl get constraint -l policycontroller.gke.io/bundleName=cis-k8s-v1.5.1 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'验证政策限制条件强制执行措施是否已更新:
kubectl get constraint -l policycontroller.gke.io/bundleName=cis-k8s-v1.5.1
kpt
运行
set-enforcement-actionkpt 函数将政策的强制执行操作设置为warn:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
应用政策限制条件:
kpt live apply
Config Sync
使用 Config Sync 将政策部署到其集群的运维人员可以按照以下说明操作:
更改为 Config Sync 的同步目录:
cd SYNC_ROOT_DIR
运行
set-enforcement-actionkpt 函数将政策的强制执行操作设置为warn:kpt fn eval policies/cis-k8s-v1.5.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
将更改推送到 Config Sync 代码库:
git add SYNC_ROOT_DIR/policies/cis-k8s-v1.5.1 git commit -m 'Adding CIS Kubernetes v1.5.1 policy bundle warn enforcement' git push
验证安装状态:
gcloud alpha anthos config sync repo list --project PROJECT_ID
SYNCED列中显示您的代码库即表示政策安装成功。
测试政策执行情况
使用以下命令在集群上创建不合规的资源:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: wp-non-compliant
labels:
app: wordpress
spec:
containers:
- image: wordpress
name: wordpress
ports:
- containerPort: 80
name: wordpress
EOF
准入控制器应生成一个警告列表,其中列出了此资源违反政策的行为,如以下示例所示:
Warning: [cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot] Container wordpress is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0
Warning: [cis-k8s-v1.5.1-psp-allow-privilege-escalation] Privilege escalation container is not allowed: wordpress
Warning: [cis-k8s-v1.5.1-psp-seccomp-default] Seccomp profile 'not configured' is not allowed for container 'wordpress'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "docker/default", "runtime/default"}
Warning: [cis-k8s-v1.5.1-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["NET_RAW"] or "ALL"
Warning: [cis-k8s-v1.5.1-pods-require-security-context] securityContext must be defined for all Pod containers
pod/wp-non-compliant created
移除 CIS Kubernetes v1.5.1 政策包
如果需要,您可以从集群中移除 CIS K8s 政策包。
kubectl
使用 kubectl 移除政策:
kubectl delete constraint -l policycontroller.gke.io/bundleName=cis-k8s-v1.5.1
kpt
移除政策:
kpt live destroy
Config Sync
使用 Config Sync 将政策部署到其集群的运维人员可以按照以下说明操作:
将更改推送到 Config Sync 代码库:
git rm -r SYNC_ROOT_DIR/policies/cis-k8s-v1.5.1 git commit -m 'Removing CIS policies' git push
验证状态:
gcloud alpha anthos config sync repo list --project PROJECT_ID
SYNCED列中显示您的代码库即表示政策移除成功。