简介
因为有时候对 ServiceAccount(SA)、SecurityContextConstriant (SCC)、securityContext(SC) 有些混乱,所以感觉有必要做下实验加深下理解,不少初学者在运行应用的时候都遇到的关于SA和SCC的问题。我将先部署一个简单的应用作为测试环境。我使用的是openshift 3.9
部署应用
我使用的是busybox,一个轻量级的工具镜像,尤其在测试网络连通性的时候非常有用。
- 使用镜像进行部署
oc new-app --docker-image=docker.io/busybox --name=busybox923
- 修改DC yaml文件的启动命令,因为busybox默认是以bash启动,会一直重启,我将它改为sleep
spec:
containers:
- image: 'docker.io/busybox:latest'
command:
- sleep
- 30d
- 查看pod状态已经正常运行了
# oc get pod
NAME READY STATUS RESTARTS AGE
busybox923-3-qk7hj 1/1 Running 0 17m
分析现在busybox相关内容
- 查看busybox的DC yaml文件,截取相关内容
# oc get dc/busybox923 -o yaml
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
...
spec:
...
template:
metadata:
annotations:
openshift.io/generated-by: OpenShiftNewApp
creationTimestamp: null
labels:
app: busybox923
deploymentconfig: busybox923
spec:
containers:
- command:
- sleep
- 30d
image: docker.io/busybox:latest
imagePullPolicy: IfNotPresent
name: busybox923
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
...
- 查看busybox的pod yaml文件,截取相关内容
# oc get pod busybox923-3-qk7hj -o yaml
apiVersion: v1
kind: Pod
····
name: busybox923-3-qk7hj
namespace: default
···
spec:
containers:
- command:
- sleep
- 30d
image: docker.io/busybox:latest
imagePullPolicy: IfNotPresent
name: busybox923
resources: {}
securityContext:
capabilities:
drop:
- KILL
- MKNOD
- SETGID
- SETUID
runAsUser: 1000000000
···
securityContext:
fsGroup: 1000000000
seLinuxOptions:
level: s0:c1,c0
serviceAccount: default
serviceAccountName: default
···
- 查看pod运行的用户
# oc rsh busybox923-3-qk7hj
/ $ whoami
whoami: unknown uid 1000000000
- 分析:可以看到DC关于是没有定于关于sa与sc的配置,而pod则定义了使用default的serviceAccount,并在securityContext定义了runAsUser: 1000000000(查看container字段的securityContext,并且进入busybox的pod看到的用户id为1000000000,这些都是openshift的默认参数,这个时候在容器以非root权限启动时去访问须有root权限时容易报错。
- 试着在DC内添加runAsUser: 1000000000为0,0即root
# oc get pod
NAME READY STATUS RESTARTS AGE
busybox923-5-bm5t7 1/1 Running 0 1m
busybox923-6-deploy 1/1 Running 0 22s
- 一直无法生产新的pod,即版本6的pod,查看下deploy pod的日志
# oc log busybox923-6-deploy
W1026 10:12:37.477358 36823 cmd.go:358] log is DEPRECATED and will be removed in a future version. Use logs instead.
--> Scaling up busybox923-6 from 0 to 1, scaling down busybox923-5 from 1 to 0 (keep 1 pods available, don't exceed 2 pods)
Scaling busybox923-6 up to 1
- 因此将DC给runAsUser给删了就可以了
# oc get pod
NAME READY STATUS RESTARTS AGE
busybox923-5-bm5t7 1/1 Terminating 0 4m
busybox923-6-deploy 0/1 Terminating 0 3m
busybox923-7-deploy 1/1 Running 0 9s
busybox923-7-qtnvn 1/1 Running 0 5s
SA、SCC、SC介绍及使用
SA是用来定义 pod 启动时的用户,注意这个用户不是指 pod 容器里头的Linux用户,只是这个pod能干什么的用户;SCC就是具体的权限角色了,需要将SCC的角色分配给SA用户,系统默认就定义好了很多SCC,我们直接拿来用就可以了;而SC就是分配好,管理员再在pod定义具体使用那些权限的。
- 查看系统默认的SCC,常用的是privileged,它能够以root用户运行,并且访问宿主机上的文件系统
# oc get scc
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
- 我部署的应用是在default这个project下面,每个项目都有default这个sa,注意在页面上是看不到default这个sa的。
# oc get sa
NAME SECRETS AGE
builder 2 131d
default 3 131d
deployer 2 131d
registry 3 131d
router 2 131d
- 现在我给default这个sa分配privileged的权限
# oc adm policy add-scc-to-user privileged -z default
scc "privileged" added to: ["system:serviceaccount:default:default"]
- 把pod杀了,让它自动新建一个,登录进pod的uid还是不变,并且dc和pod的yaml文件关于sa和sc字段还是不变。
- 在dc的container字段内添加sc配置 privileged: true
containers:
- command:
- sleep
- 30d
image: docker.io/busybox:latest
imagePullPolicy: IfNotPresent
name: busybox923
resources: {}
securityContext:
capabilities: {}
privileged: true
- 查看pod的yaml文件,默认定义在securityContext字段的参数变了
spec:
containers:
- command:
- sleep
- 30d
image: docker.io/busybox:latest
imagePullPolicy: IfNotPresent
name: busybox923
resources: {}
securityContext:
capabilities: {}
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-xthkz
readOnly: true
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: default-dockercfg-6h8bz
nodeName: local2-ocp3.9-node1-test.com
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
- 查看pod运行的用户,这时候为root了
# oc rsh busybox923-8-59hvm
/ # whoami
root
- 试着将privileged: true参数定义在外面的securityContext,而不是container字段内定义,试了一下不会生效,还是为securityContext: {};接下来的测试都不在外面的securityContext测试了,默认都在container字段内测试。
- 将privileged: true修改为自定义的用户id,如:runAsUser: 123,忽然发现使用id命令也能看到当前用户属于哪个组,可以看到属于root组。
# oc rsh busybox923-10-p69mg
/ $ whoami
whoami: unknown uid 123
/ $ id
uid=123 gid=0(root)
- 将securityContext全部删除,测试下是id命令的结果,多了个groups。
# oc rsh busybox923-11-tblhh
/ $ id
uid=1000000000 gid=0(root) groups=1000000000
- 配置securityContext的runAsUser为0,查看pod的用户id 为root
# oc rsh busybox923-12-cq5qt
/ # id
uid=0(root) gid=0(root) groups=10(wheel)
- 测试未在DC的yaml文件中配置 privileged: true 权限下挂载宿主机的docker可执行文件及docker配置文件
spec:
containers:
- command:
- sleep
- 30d
...
volumeMounts:
- mountPath: /usr/bin/docker
name: docker
- mountPath: /etc/sysconfig/docker
name: docker-config
...
securityContext: {}
...
volumes:
- hostPath:
path: /usr/bin/docker
type: ''
name: docker
- hostPath:
path: /etc/sysconfig/docker
type: ''
name: docker-config
- 进入pod,可以看到是root用户,并且docker文件已经挂载进来了
# oc rsh busybox923-17-vb94f
/ # id
/ # ls -l /etc/sysconfig/docker
-rw-r--r-- 1 root root 1243 Mar 19 2018 /etc/sysconfig/docker
uid=0(root) gid=0(root) groups=10(wheel)
/ # ls -l /usr/bin/docker
-rwxr-xr-x 1 root root 735 Mar 19 2018 /usr/bin/docker
- 我也看了dc及pod的yaml文件,都没有关于sc的定义,所以应该是在使用宿主机volume的时候就开启了privileged: true
- 给sa分配scc为privileged权限很大了,在有些时候只需要分配让pod以root用户启动即可,即修改privileged为anyuid
oc adm policy remove-scc-from-user privileged -z default
oc adm policy add-scc-to-user anyuid -z default
- 这时候删除pod,不会启动新的pod,怀疑目前因为挂载的宿主机的volume,并且因为scc权限低,所以pod无法创建,所以在dc内删除volume相关的配置,触发新的部署,新pod就被创建了,我再次将volume的配置添加进dc,查看一下,虽然新的部署被触发,但是新的pod没有被创建,说明在没有足够大的权限下,pod无法创建。
[root@local2-ocp3.9-master1-test.com ~]# oc get pod
NAME READY STATUS RESTARTS AGE
busybox923-21-cktj5 1/1 Running 0 2m
busybox923-22-deploy 1/1 Running 0 10s
- 再次将volume相关配置删除,触发新的部署,进入pod看下用户为root
# oc rsh busybox923-23-nmk7h
/ # id
uid=0(root) gid=0(root) groups=10(wheel)
/ # whoami
root
创建新的sa,并且使用它
- 前面pod启动时,使用的是project 默认的default sa,我们可以自己新建一个作为测试
# oc create sa busybox
serviceaccount "busybox" created
- 在DC内定义使用busybox这个sa去启动
serviceAccount: busybox
serviceAccountName: busybox
- 进入pod,用户跟sa 为 default时没差
# oc rsh busybox923-24-l5szd
/ $ id
uid=1000000000 gid=0(root) groups=1000000000
/ $ whoami
whoami: unknown uid 1000000000
- 给busybox分配scc为anyuid进行测试,用户为root
# oc adm policy add-scc-to-user anyuid -z busybox
scc "anyuid" added to: ["system:serviceaccount:default:busybox"]
# oc rsh busybox923-24-fjkrb
/ # id
uid=0(root) gid=0(root) groups=10(wheel)
/ # whoami
root
总结
以上只是对sa、scc、sc常用的一些配置使用做了测试和介绍,更深入和灵活的用法还需在具体环境及需求中进行测试验证,openshift/kubernetes是很强大很复杂的一个系统,还需多深入研究。
