在GKE之下时，DenyEscalatingExec [英] DenyEscalatingExec when under GKE

问题描述

我们正在将GKE与我们的Kubernetes集群一起使用. Jenkins for CI是我们正在运行的应用程序之一.不幸的是，Jenkins从属需要使用Docker来安装其主机的docker.sock.这可能是一种升级利用.

We're using GKE with our Kubernetes cluster. One of the apps we're running is Jenkins for CI. Unfortunately, Jenkins slaves need to use Docker to mount their host's docker.sock. This is, potentially, an escalation exploit.

解决方案是在API服务器中设置准入控制器以使用DenyEscalatingExec.但是对于我的一生，我无法弄清楚如何通过GKE达到该设置.它甚至可以默认设置，但是我不知道如何获得隐藏在GKE后面的默认设置.

The solution is to set up your Admission Controller in the API server to use DenyEscalatingExec. But I can't, for the life of me, figure out how to get at that setting through GKE. It could even be set by default, but I can't figure out how to even get at the default settings hidden behind GKE.

是否可以通过GKE设置此(和其他控制器)，或者检查默认设置以查看是否已设置?

Is there a way to set this (and other controllers) through GKE, or otherwise check the defaults to see if it's set?

推荐答案

不幸的是，您无法更改GKE上启用的准入控制器. Alpha群集支持外部录入网络钩子，但这将涉及大量的自定义工作.

Unfortunately you can't change the enabled admission controllers on GKE. Alpha clusters support external admission webhooks but that would involve an amount of custom work.

另一种选择是使用PodSecurityPolicy仅允许特权Pod在一些紧密的控制器名称空间中运行.例如，您可以创建一个jenkins命名空间，仅允许在jenkins和kube-system命名空间中创建特权Pod，然后阻止除群集管理员之外的所有用户在这些命名空间中执行Pod.

An alternative option would be to use PodSecurityPolicy to only allow privileged Pods to run in a few tightly controller namespaces. For example, you could create a jenkins namespace and only allow privileged Pods to be created in the jenkins and kube-system namespaces and then prevent all users but cluster admins from execing into Pods in those namespaces.

这篇关于在GKE之下时，DenyEscalatingExec的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！