Pod Security Standards 实施指南
Pod Security Standards (PSS) 是Kubernetes 1.22引入的新安全框架,用于替代已弃用的Pod Security Policies (PSP)。PSS提供了三个预定义的安全配置文件,简化了Pod安全策略的实施和管理。
🛡️ Pod Security Standards 概述
安全配置文件
yaml
security_profiles:
privileged:
description: "不受限制的策略,提供最广泛的权限级别"
use_case: "系统级工作负载和需要特权的基础设施组件"
characteristics:
- "允许已知的特权提升"
- "允许大多数安全上下文约束"
- "用于系统和基础设施工作负载"
example_workloads:
- "CNI插件"
- "存储驱动程序"
- "系统监控代理"
- "安全扫描工具"
baseline:
description: "最小限制策略,防止已知的特权提升"
use_case: "普通应用工作负载的默认策略"
restrictions:
forbidden_fields:
- "spec.securityContext.runAsUser: 0"
- "spec.containers[*].securityContext.runAsUser: 0"
- "spec.containers[*].securityContext.privileged: true"
- "spec.containers[*].securityContext.allowPrivilegeEscalation: true"
forbidden_capabilities:
- "CAP_SYS_ADMIN"
- "CAP_NET_ADMIN"
- "CAP_SYS_TIME"
forbidden_volumes:
- "hostPath"
- "hostPID: true"
- "hostNetwork: true"
- "hostIPC: true"
allowed_example: |
apiVersion: v1
kind: Pod
metadata:
name: baseline-compliant-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: nginx:alpine
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
restricted:
description: "高度受限策略,实施当前Pod安全最佳实践"
use_case: "安全敏感的应用工作负载"
requirements:
mandatory_fields:
- "spec.securityContext.runAsNonRoot: true"
- "spec.securityContext.seccompProfile.type: RuntimeDefault OR Localhost"
- "spec.containers[*].securityContext.allowPrivilegeEscalation: false"
- "spec.containers[*].securityContext.capabilities.drop: [ALL]"
- "spec.containers[*].securityContext.runAsNonRoot: true"
- "spec.containers[*].securityContext.seccompProfile.type: RuntimeDefault OR Localhost"
forbidden_capabilities: "ALL (must drop all capabilities)"
required_volumes: "Only specific volume types allowed"
compliant_example: |
apiVersion: v1
kind: Pod
metadata:
name: restricted-compliant-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx:alpine
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: tmp-volume
mountPath: /tmp
volumes:
- name: tmp-volume
emptyDir: {}yaml
security_modes:
enforce:
description: "强制执行模式,拒绝违反策略的Pod"
behavior: "阻止不符合安全策略的Pod创建"
configuration: |
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.25
use_case: "生产环境强制安全策略"
audit:
description: "审计模式,记录违反策略的Pod但允许创建"
behavior: "在审计日志中记录违规事件"
configuration: |
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.25
use_case: "监控和评估现有工作负载合规性"
warn:
description: "警告模式,向用户返回违反策略的警告"
behavior: "在kubectl输出中显示警告信息"
configuration: |
apiVersion: v1
kind: Namespace
metadata:
name: staging
labels:
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: v1.25
use_case: "用户友好的策略违规提醒"
combined_modes: |
# 组合使用多种模式
apiVersion: v1
kind: Namespace
metadata:
name: secure-namespace
labels:
# 强制执行基线策略
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: v1.25
# 审计受限策略
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.25
# 警告受限策略
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.25🔄 PSP到PSS迁移
迁移策略和步骤
yaml
migration_assessment:
current_psp_analysis:
inventory_script: |
#!/bin/bash
# PSP使用情况分析
echo "=== Current Pod Security Policies ==="
kubectl get psp -o wide
echo -e "\n=== PSP to Pod Bindings ==="
kubectl get pods --all-namespaces -o json | jq -r '
.items[] |
select(.metadata.annotations."kubernetes.io/psp" != null) |
"\(.metadata.namespace)/\(.metadata.name): \(.metadata.annotations."kubernetes.io/psp")"' |
sort | uniq -c | sort -nr
echo -e "\n=== PSP Usage by Namespace ==="
kubectl get pods --all-namespaces -o json | jq -r '
.items[] |
select(.metadata.annotations."kubernetes.io/psp" != null) |
.metadata.namespace' |
sort | uniq -c | sort -nr
compatibility_check: |
# PSP兼容性检查脚本
check_psp_compatibility() {
local namespace=$1
echo "Checking PSP compatibility for namespace: $namespace"
# 获取该命名空间中的所有Pod
kubectl get pods -n "$namespace" -o json | jq -r '
.items[] as $pod |
# 检查特权容器
if ($pod.spec.containers[]?.securityContext.privileged == true) then
"PRIVILEGED: \($pod.metadata.name)"
else empty end,
# 检查root用户
if ($pod.spec.securityContext.runAsUser == 0 or $pod.spec.containers[]?.securityContext.runAsUser == 0) then
"ROOT_USER: \($pod.metadata.name)"
else empty end,
# 检查主机网络
if ($pod.spec.hostNetwork == true) then
"HOST_NETWORK: \($pod.metadata.name)"
else empty end,
# 检查主机PID
if ($pod.spec.hostPID == true) then
"HOST_PID: \($pod.metadata.name)"
else empty end,
# 检查主机路径挂载
if ($pod.spec.volumes[]?.hostPath != null) then
"HOST_PATH: \($pod.metadata.name)"
else empty end'
}
migration_phases:
phase_1_assessment:
duration: "2-4周"
activities:
- "PSP使用情况分析"
- "工作负载安全需求评估"
- "PSS配置文件匹配"
- "迁移计划制定"
tools_and_commands: |
# 分析工具
# 1. 使用kubectl-psp-migrator
kubectl krew install psp-migrator
kubectl psp-migrator --namespace production
# 2. 使用Polaris进行评估
polaris audit --config-path polaris-config.yaml
# 3. 自定义分析脚本
./analyze-psp-usage.sh
phase_2_preparation:
duration: "2-3周"
activities:
- "命名空间标签配置"
- "审计模式启用"
- "警告模式测试"
- "工作负载调整"
namespace_preparation: |
# 准备命名空间迁移
prepare_namespace() {
local namespace=$1
local target_profile=$2
# 添加审计和警告模式
kubectl label namespace "$namespace" \
pod-security.kubernetes.io/audit="$target_profile" \
pod-security.kubernetes.io/warn="$target_profile" \
--overwrite
echo "Namespace $namespace prepared for $target_profile profile"
# 监控违规事件
kubectl get events -n "$namespace" --field-selector reason=FailedCreate
}
phase_3_enforcement:
duration: "1-2周"
activities:
- "强制模式逐步启用"
- "违规工作负载修复"
- "监控和调优"
- "PSP清理"
enforcement_script: |
#!/bin/bash
# 渐进式强制执行
enable_enforcement() {
local namespace=$1
local profile=$2
echo "Enabling enforcement for $namespace with $profile profile"
# 启用强制模式
kubectl label namespace "$namespace" \
pod-security.kubernetes.io/enforce="$profile" \
--overwrite
# 验证现有Pod是否符合策略
echo "Checking existing pods compliance..."
kubectl get pods -n "$namespace" -o json | jq -r '
.items[] |
"\(.metadata.name): \(.status.phase)"'
# 测试Pod创建
echo "Testing pod creation..."
kubectl run test-pod --image=nginx --dry-run=server -n "$namespace"
}yaml
workload_adaptation:
security_context_updates:
from_psp_to_pss: |
# PSP配置转换为PSS兼容配置
# 原PSP配置示例
old_psp_config: |
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: baseline-psp
spec:
privileged: false
allowPrivilegeEscalation: false
runAsUser:
rule: MustRunAsNonRoot
fsGroup:
rule: RunAsAny
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
# 对应的PSS兼容Pod配置
new_pod_config: |
apiVersion: v1
kind: Pod
metadata:
name: adapted-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
common_adaptations:
root_user_fix: |
# 修复root用户问题
# 问题:Pod以root用户运行
problematic_config: |
spec:
containers:
- name: app
image: myapp:latest
# 默认以root(UID 0)运行
# 解决方案:指定非root用户
fixed_config: |
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
containers:
- name: app
image: myapp:latest
securityContext:
runAsNonRoot: true
runAsUser: 1000
privilege_escalation_fix: |
# 修复权限提升问题
problematic_config: |
spec:
containers:
- name: app
image: myapp:latest
securityContext:
privileged: true # 特权模式
fixed_config: |
spec:
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE # 仅添加必需的权限
filesystem_fix: |
# 修复文件系统写入问题
problematic_config: |
spec:
containers:
- name: app
image: myapp:latest
# 默认可写入根文件系统
fixed_config: |
spec:
containers:
- name: app
image: myapp:latest
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: tmp-volume
mountPath: /tmp
- name: var-cache
mountPath: /var/cache
volumes:
- name: tmp-volume
emptyDir: {}
- name: var-cache
emptyDir: {}
deployment_templates:
baseline_template: |
# Baseline兼容的Deployment模板
apiVersion: apps/v1
kind: Deployment
metadata:
name: baseline-app
namespace: production
spec:
replicas: 3
selector:
matchLabels:
app: baseline-app
template:
metadata:
labels:
app: baseline-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: app
image: myapp:v1.0
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
resources:
limits:
cpu: "1"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
restricted_template: |
# Restricted兼容的Deployment模板
apiVersion: apps/v1
kind: Deployment
metadata:
name: restricted-app
namespace: secure-production
spec:
replicas: 3
selector:
matchLabels:
app: restricted-app
template:
metadata:
labels:
app: restricted-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:v1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: tmp-volume
mountPath: /tmp
- name: cache-volume
mountPath: /app/cache
resources:
limits:
cpu: "1"
memory: "512Mi"
ephemeral-storage: "1Gi"
requests:
cpu: "100m"
memory: "128Mi"
ephemeral-storage: "100Mi"
volumes:
- name: tmp-volume
emptyDir: {}
- name: cache-volume
emptyDir: {}🛠️ PSS实施和管理
命名空间配置策略
yaml
namespace_configuration:
development_environment:
security_level: "baseline"
configuration: |
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
# 开发环境使用基线策略
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: v1.25
# 启用受限策略审计,了解安全改进空间
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.25
# 警告受限策略违规
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.25
annotations:
pod-security.example.com/environment: "development"
pod-security.example.com/team: "platform"
rationale: "开发环境需要灵活性,但仍需基本安全保护"
staging_environment:
security_level: "restricted"
configuration: |
apiVersion: v1
kind: Namespace
metadata:
name: staging
labels:
# 预发布环境强制执行受限策略
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.25
# 审计模式也使用受限策略
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.25
# 警告模式使用受限策略
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.25
annotations:
pod-security.example.com/environment: "staging"
pod-security.example.com/team: "platform"
rationale: "预发布环境模拟生产环境安全要求"
production_environment:
security_level: "restricted"
configuration: |
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
# 生产环境严格执行受限策略
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.25
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: v1.25
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: v1.25
annotations:
pod-security.example.com/environment: "production"
pod-security.example.com/team: "platform"
pod-security.example.com/compliance: "required"
rationale: "生产环境要求最高安全标准"
system_namespaces:
security_level: "privileged"
examples:
kube_system: |
apiVersion: v1
kind: Namespace
metadata:
name: kube-system
labels:
# 系统命名空间使用特权策略
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
monitoring: |
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
# 监控组件可能需要特殊权限
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
annotations:
pod-security.example.com/justification: "monitoring-agents-require-host-access"yaml
validation_tools:
pss_validator:
kubectl_plugin: |
#!/bin/bash
# PSS验证kubectl插件
validate_pod() {
local pod_manifest=$1
local security_profile=${2:-restricted}
echo "Validating pod against $security_profile profile..."
# 使用kubectl的dry-run功能验证
kubectl apply --dry-run=server -f "$pod_manifest" 2>&1 | \
grep -E "(warning|error|violation)" || echo "Pod is compliant with $security_profile profile"
}
validate_namespace() {
local namespace=$1
echo "Checking namespace $namespace PSS configuration..."
# 获取命名空间的PSS标签
enforce_label=$(kubectl get namespace "$namespace" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}')
audit_label=$(kubectl get namespace "$namespace" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/audit}')
warn_label=$(kubectl get namespace "$namespace" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/warn}')
echo "Enforce: ${enforce_label:-none}"
echo "Audit: ${audit_label:-none}"
echo "Warn: ${warn_label:-none}"
# 检查现有Pod的合规性
echo "Checking existing pods compliance..."
kubectl get pods -n "$namespace" -o json | jq -r '
.items[] |
select(.metadata.annotations."pod-security.kubernetes.io/enforce-policy" != null) |
"\(.metadata.name): \(.metadata.annotations."pod-security.kubernetes.io/enforce-policy")"'
}
automated_scanning: |
# 自动化PSS合规扫描
scan_cluster_compliance() {
echo "=== Pod Security Standards Compliance Scan ==="
# 扫描所有命名空间
kubectl get namespaces -o json | jq -r '.items[].metadata.name' | \
while read namespace; do
echo "Scanning namespace: $namespace"
# 检查PSS标签配置
enforce=$(kubectl get namespace "$namespace" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}' 2>/dev/null)
if [ -z "$enforce" ]; then
echo " WARNING: No PSS enforce policy set"
else
echo " Enforce policy: $enforce"
fi
# 检查违规Pod
violation_count=$(kubectl get events -n "$namespace" --field-selector reason=FailedCreate 2>/dev/null | \
grep -c "violates PodSecurity" || echo "0")
if [ "$violation_count" -gt 0 ]; then
echo " WARNING: $violation_count PSS violations found"
fi
echo ""
done
}
policy_testing:
test_suite: |
#!/bin/bash
# PSS策略测试套件
test_baseline_compliance() {
echo "Testing baseline compliance..."
# 测试1:非特权容器
cat <<EOF | kubectl apply --dry-run=server -f - -n baseline-test
apiVersion: v1
kind: Pod
metadata:
name: test-non-privileged
spec:
containers:
- name: test
image: nginx:alpine
securityContext:
privileged: false
EOF
# 测试2:特权容器(应该失败)
cat <<EOF | kubectl apply --dry-run=server -f - -n baseline-test 2>&1 | grep -q "violates PodSecurity"
apiVersion: v1
kind: Pod
metadata:
name: test-privileged
spec:
containers:
- name: test
image: nginx:alpine
securityContext:
privileged: true
EOF
if [ $? -eq 0 ]; then
echo "✓ Baseline policy correctly blocks privileged containers"
else
echo "✗ Baseline policy failed to block privileged containers"
fi
}
test_restricted_compliance() {
echo "Testing restricted compliance..."
# 测试受限策略的完整配置
cat <<EOF | kubectl apply --dry-run=server -f - -n restricted-test
apiVersion: v1
kind: Pod
metadata:
name: test-restricted-compliant
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: test
image: nginx:alpine
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
EOF
if [ $? -eq 0 ]; then
echo "✓ Restricted compliant pod validation passed"
else
echo "✗ Restricted compliant pod validation failed"
fi
}📊 监控和审计
PSS违规监控
yaml
audit_monitoring:
log_analysis:
pss_violations: |
# PSS违规事件分析
analyze_pss_violations() {
echo "=== Pod Security Standards Violations ==="
# 从审计日志中提取PSS违规
jq -r 'select(.verb == "create" and .objectRef.resource == "pods" and .responseStatus.code >= 400 and (.responseStatus.message | contains("violates PodSecurity"))) |
"\(.timestamp) \(.user.username) \(.objectRef.namespace)/\(.objectRef.name): \(.responseStatus.message)"' \
/var/log/audit.log | tail -20
# 统计违规频率
echo -e "\n=== Violation Frequency by Namespace ==="
jq -r 'select(.verb == "create" and .objectRef.resource == "pods" and .responseStatus.code >= 400 and (.responseStatus.message | contains("violates PodSecurity"))) |
.objectRef.namespace' /var/log/audit.log | sort | uniq -c | sort -nr
# 统计违规类型
echo -e "\n=== Violation Types ==="
jq -r 'select(.verb == "create" and .objectRef.resource == "pods" and .responseStatus.code >= 400 and (.responseStatus.message | contains("violates PodSecurity"))) |
.responseStatus.message' /var/log/audit.log | \
grep -oE "(privileged|allowPrivilegeEscalation|runAsNonRoot|capabilities|seccompProfile|readOnlyRootFilesystem)" | \
sort | uniq -c | sort -nr
}
compliance_dashboard: |
# PSS合规性仪表盘查询
prometheus_queries:
# PSS违规计数
pss_violations_total: 'increase(apiserver_audit_total{objectRef_resource="pods",verb="create",responseStatus_code=~"4.."}[5m])'
# 按命名空间分组的违规
pss_violations_by_namespace: 'sum by (objectRef_namespace) (increase(apiserver_audit_total{objectRef_resource="pods",verb="create",responseStatus_code=~"4.."}[5m]))'
# PSS配置覆盖率
namespaces_with_pss: 'count by (label_pod_security_kubernetes_io_enforce) (kube_namespace_labels{label_pod_security_kubernetes_io_enforce!=""})'
alerting_rules:
prometheus_alerts: |
# PSS告警规则
groups:
- name: pod-security-standards
rules:
- alert: PSSViolationHigh
expr: increase(apiserver_audit_total{objectRef_resource="pods",verb="create",responseStatus_code=~"4.."}[5m]) > 10
for: 2m
labels:
severity: warning
annotations:
summary: "High number of Pod Security Standards violations"
description: "{{ $value }} PSS violations in the last 5 minutes"
- alert: PSSNamespaceWithoutPolicy
expr: count by (namespace) (kube_namespace_created{namespace!~"kube-.*"}) unless on(namespace) count by (namespace) (kube_namespace_labels{label_pod_security_kubernetes_io_enforce!=""})
for: 10m
labels:
severity: warning
annotations:
summary: "Namespace without Pod Security Standards policy"
description: "Namespace {{ $labels.namespace }} does not have PSS policy configured"
- alert: PSSPolicyDowngrade
expr: changes(kube_namespace_labels{label_pod_security_kubernetes_io_enforce="privileged"}[1h]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Pod Security Standards policy downgraded"
description: "Namespace {{ $labels.namespace }} PSS policy was downgraded to privileged"yaml
compliance_reporting:
automated_reports:
daily_compliance_report: |
#!/bin/bash
# PSS合规性日报
generate_daily_report() {
local report_date=$(date +%Y-%m-%d)
local report_file="pss-compliance-report-$report_date.html"
cat > "$report_file" <<EOF
<html>
<head>
<title>PSS Compliance Report - $report_date</title>
<style>
body { font-family: Arial, sans-serif; }
.summary { background-color: #f0f0f0; padding: 10px; margin: 10px 0; }
.violation { color: red; }
.compliant { color: green; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
</style>
</head>
<body>
<h1>Pod Security Standards Compliance Report</h1>
<div class="summary">
<h2>Summary for $report_date</h2>
EOF
# 生成摘要信息
total_namespaces=$(kubectl get namespaces --no-headers | wc -l)
pss_enabled_namespaces=$(kubectl get namespaces -o json | jq '[.items[] | select(.metadata.labels."pod-security.kubernetes.io/enforce" != null)] | length')
echo "<p>Total Namespaces: $total_namespaces</p>" >> "$report_file"
echo "<p>PSS Enabled Namespaces: $pss_enabled_namespaces</p>" >> "$report_file"
echo "<p>Coverage: $(echo "scale=2; $pss_enabled_namespaces * 100 / $total_namespaces" | bc)%</p>" >> "$report_file"
# 生成详细表格
cat >> "$report_file" <<EOF
</div>
<h2>Namespace Details</h2>
<table>
<tr>
<th>Namespace</th>
<th>Enforce Policy</th>
<th>Audit Policy</th>
<th>Warn Policy</th>
<th>Violations (24h)</th>
</tr>
EOF
# 遍历命名空间生成详细信息
kubectl get namespaces -o json | jq -r '
.items[] |
"\(.metadata.name)|\(.metadata.labels."pod-security.kubernetes.io/enforce" // "none")|\(.metadata.labels."pod-security.kubernetes.io/audit" // "none")|\(.metadata.labels."pod-security.kubernetes.io/warn" // "none")"' | \
while IFS='|' read namespace enforce audit warn; do
# 计算违规次数(这里简化处理)
violations=0
echo "<tr>" >> "$report_file"
echo "<td>$namespace</td>" >> "$report_file"
echo "<td>$enforce</td>" >> "$report_file"
echo "<td>$audit</td>" >> "$report_file"
echo "<td>$warn</td>" >> "$report_file"
echo "<td>$violations</td>" >> "$report_file"
echo "</tr>" >> "$report_file"
done
cat >> "$report_file" <<EOF
</table>
</body>
</html>
EOF
echo "Report generated: $report_file"
}
weekly_trend_analysis: |
# 周度趋势分析
generate_weekly_trends() {
local end_date=$(date +%Y-%m-%d)
local start_date=$(date -d '7 days ago' +%Y-%m-%d)
echo "=== PSS Compliance Trends ($start_date to $end_date) ==="
# 分析PSS策略采用趋势
echo "PSS Policy Adoption Trend:"
for i in {6..0}; do
check_date=$(date -d "$i days ago" +%Y-%m-%d)
# 这里需要历史数据支持,实际实现中可能需要从监控系统获取
echo "$check_date: Policy adoption status"
done
# 分析违规趋势
echo -e "\nViolation Trends:"
for i in {6..0}; do
check_date=$(date -d "$i days ago" +%Y-%m-%d)
# 从审计日志或监控系统获取违规数据
echo "$check_date: Violation count"
done
}
governance_integration:
policy_as_code: |
# 策略即代码集成
# 使用OPA Gatekeeper增强PSS
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8spssenhancement
spec:
crd:
spec:
names:
kind: K8sPSSEnhancement
validation:
properties:
maxAllowedCapabilities:
type: array
items:
type: string
allowedSeccompProfiles:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8spssenhancement
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
capability := container.securityContext.capabilities.add[_]
not capability in input.parameters.maxAllowedCapabilities
msg := sprintf("Capability %v is not allowed", [capability])
}
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
profile := container.securityContext.seccompProfile.type
not profile in input.parameters.allowedSeccompProfiles
msg := sprintf("Seccomp profile %v is not allowed", [profile])
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSEnhancement
metadata:
name: enhanced-pss-policy
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["production", "staging"]
parameters:
maxAllowedCapabilities: ["NET_BIND_SERVICE"]
allowedSeccompProfiles: ["RuntimeDefault", "Localhost"]📋 PSS面试重点
基础概念类
Pod Security Standards的三个安全级别?
- Privileged:不受限制策略
- Baseline:最小限制策略
- Restricted:高度受限策略
- 各级别的具体限制和适用场景
PSS的三种执行模式?
- Enforce:强制执行
- Audit:审计记录
- Warn:警告提示
- 模式组合使用策略
PSS与PSP的主要区别?
- 架构设计差异
- 配置复杂度对比
- 功能覆盖范围
- 迁移必要性
实施配置类
如何设计PSS迁移策略?
- 现状评估方法
- 分阶段迁移计划
- 风险控制措施
- 回滚应急预案
不同环境的PSS配置策略?
- 开发环境配置
- 生产环境要求
- 系统组件处理
- 特殊权限需求
PSS违规问题的常见解决方案?
- Security Context配置
- 容器权限调整
- 文件系统权限
- 网络访问限制
监控管理类
如何监控PSS合规性?
- 审计日志分析
- 违规事件监控
- 合规性指标设计
- 自动化报告生成
PSS策略验证和测试方法?
- 策略有效性测试
- 工作负载兼容性验证
- 自动化测试套件
- 持续合规检查
PSS与其他安全机制的集成?
- RBAC权限控制
- Network Policy配合
- Admission Controller增强
- 监控告警集成
高级实践类
企业级PSS治理策略?
- 策略即代码实现
- 多集群策略统一
- 合规性自动化
- 审计追踪机制
PSS性能影响和优化?
- 准入控制性能
- 策略验证开销
- 大规模部署优化
- 监控资源消耗
PSS故障排查技巧?
- 常见错误模式
- 日志分析方法
- 调试工具使用
- 问题解决流程
🔗 相关内容
- Kubernetes安全概述 - Kubernetes安全整体架构
- RBAC深度配置 - RBAC权限管理详细实践
- 零信任架构 - 零信任安全模型
- 容器安全 - 容器安全完整实践
Pod Security Standards是Kubernetes安全的重要组成部分,通过标准化的安全配置文件简化了Pod安全策略的实施。正确理解和实施PSS,对于构建安全可靠的Kubernetes环境至关重要。