安全上下文(Security Context)
安全上下文概念
Kubernetes 的 Security Context(安全上下文) 用于控制容器的权限和安全策略,防止容器影响宿主机或集群的安全。
可以应用的范围:
| 级别 | 作用对象 |
|---|---|
| Pod-level Security Context | 作用于 Pod 内所有容器及 Volume |
| Container-level Security Context | 仅作用于指定容器,优先级高于 Pod-level |
| Pod Security Policies (PSP) 已废弃 | 集群级别安全策略,影响所有 Pod |
Pod 级安全上下文示例
# security-context-pod-demo.yaml
apiVersion: v1
kind: Pod
metadata:name: security-context-pod-demo
spec:volumes:- name: sec-ctx-volemptyDir: {}securityContext: # Pod级安全上下文runAsUser: 1000 # Pod内所有容器进程 UIDrunAsGroup: 3000 # Pod内所有容器进程 GIDfsGroup: 2000 # 挂载卷和文件所属 GIDcontainers:- name: sec-ctx-demoimage: busyboxcommand: ["sh", "-c", "sleep 60m"]volumeMounts:- name: sec-ctx-volmountPath: /pod/demosecurityContext: # 容器级安全上下文,可覆盖 Pod-levelallowPrivilegeEscalation: false
解释:
- runAsUser:容器内进程 UID
- runAsGroup:容器内进程 GID
- fsGroup:挂载卷的 GID
- allowPrivilegeEscalation:是否允许特权提升(默认 true,privileged 或 CAP_SYS_ADMIN 时强制 true)
验证:
ubuntu@ubuntu:~/example/security-context$ kubectl apply -f ./security-context-pod-demo.yaml
pod/security-context-pod-demo created
ubuntu@ubuntu:~/example/security-context$ kubectl exec -it security-context-pod-demo -- id
uid=1000 gid=3000 groups=2000,3000
ubuntu@ubuntu:~/example/security-context$ kubectl exec -it security-context-pod-demo -- ls -la /pod/demo
total 8
drwxrwsrwx 2 root 2000 4096 Nov 17 09:57 .
drwxr-xr-x 3 root root 4096 Nov 17 09:57 ..
ubuntu@ubuntu:~/example/security-context$ kubectl exec -it security-context-pod-demo -- top
Mem: 2186016K used, 1774888K free, 4236K shrd, 75484K buff, 1346260K cached
CPU: 2.4% usr 0.0% sys 0.0% nic 97.5% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 0.00 0.00 0.00 1/683 24
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
19 0 1000 R 4568 0.1 1 0.0 top
1 0 1000 S 4436 0.1 3 0.0 sleep 60m
Linux Capabilities
Linux 将 root 权限拆分成细粒度权限,称为 Capabilities,避免 SUID 过度授权风险。
常用 Capabilities:
| Capability | 用途 |
|---|---|
| CAP_NET_ADMIN | 网络管理 |
| CAP_SYS_TIME | 设置系统时间 |
| CAP_SYS_ADMIN | 系统管理(类似特权 root) |
Capabilities 集合(线程级别):
| 集合 | 作用 |
|---|---|
| Permitted | 可使用的最大 Capabilities |
| Effective | 内核检查权限使用的集合 |
| Inheritable | 可被 exec 继承的 Capabilities |
| Bounding | Inheritable 的超集,限制上限 |
| Ambient | Linux 4.3 新增,可继承给子进程 |
Kubernetes 配置 Capabilities
# cpb-demo.yaml
apiVersion: v1
kind: Pod
metadata:name: cpb-demo
spec:containers:- name: cpbimage: busyboxargs: ["sleep", "3600"]securityContext:capabilities:add: # 添加- NET_ADMINdrop: # 删除默认能力- KILL验证:
ubuntu@ubuntu:~/example/security-context$ kubectl apply -f cpb-demo.yaml
pod/cpb-demo created
ubuntu@ubuntu:~/example/security-context$ kubectl exec -it cpb-demo -- /bin/sh
# 验证网络功能/ # ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 qdisc noqueue qlen 1000link/ether d2:b3:6b:96:5a:c8 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 1000link/ether b2:f2:bb:1c:96:54 brd ff:ff:ff:ff:ff:ff# 验证kill
/ # id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
# 创建一个非 root 用户的后台进程
/ # adduser testuser
Changing password for testuser
New password:
Bad password: too short
Retype password:
passwd: password for testuser is unchanged
adduser: user 'testuser' in use
/ # su - testuser -c "sleep 1000 &"
/ # top
Mem: 2203412K used, 1757492K free, 4236K shrd, 76748K buff, 1347196K cached
CPU: 2.5% usr 0.0% sys 0.0% nic 97.4% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 0.05 0.01 0.00 2/683 30PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND7 0 root S 4568 0.1 1 0.0 /bin/sh30 7 root R 4568 0.1 1 0.0 top1 0 root S 4436 0.1 3 0.0 sleep 360029 1 testuser S 4436 0.1 3 0.0 sleep 1000
/ # kill -9 29
sh: can't kill pid 29: Operation not permitted
特权容器(Privileged)
- Docker/Containerd:--privileged 开启容器超级权限
- Kubernetes:
securityContext: privileged: true
不建议使用,获取宿主机 root 权限,安全风险极高。