|
| 1 | +--- |
| 2 | +title: "加固指南 - 调度器配置" |
| 3 | +description: > |
| 4 | + 有关如何提升 Kubernetes 调度器安全性的指南。 |
| 5 | +content_type: concept |
| 6 | +weight: 90 |
| 7 | +--- |
| 8 | +<!-- |
| 9 | +title: "Hardening Guide - Scheduler Configuration" |
| 10 | +description: > |
| 11 | + Information about how to make the Kubernetes scheduler more secure. |
| 12 | +content_type: concept |
| 13 | +weight: 90 |
| 14 | +--> |
| 15 | + |
| 16 | +<!-- overview --> |
| 17 | +<!-- |
| 18 | +The Kubernetes {{< glossary_tooltip text="scheduler" term_id="kube-scheduler" >}} is |
| 19 | +one of the critical components of the |
| 20 | +{{< glossary_tooltip text="control plane" term_id="control-plane" >}}. |
| 21 | +
|
| 22 | +This document covers how to improve the security posture of the Scheduler. |
| 23 | +
|
| 24 | +A misconfigured scheduler can have security implications. |
| 25 | +Such a scheduler can target specific nodes and evict the workloads or applications that are sharing the node and its resources. |
| 26 | +This can aid an attacker with a [Yo-Yo attack](https://arxiv.org/abs/2105.00542): an attack on a vulnerable autoscaler. |
| 27 | +--> |
| 28 | +Kubernetes {{< glossary_tooltip text="调度器" term_id="kube-scheduler" >}}是{{< glossary_tooltip text="控制平面" term_id="control-plane" >}}的关键组件之一。 |
| 29 | + |
| 30 | +本文介绍如何提升调度器的安全态势。 |
| 31 | + |
| 32 | +一个配置不当的调度器可能带来安全隐患。 |
| 33 | +这样的调度器可以将目标设为特定节点,并驱逐正在共享节点及其资源的工作负载或应用。 |
| 34 | +攻击者可以借此实施 [Yo-Yo 攻击](https://arxiv.org/abs/2105.00542):即针对易受攻击的自动扩缩器发起攻击。 |
| 35 | + |
| 36 | +<!-- body --> |
| 37 | +<!-- |
| 38 | +## kube-scheduler configuration |
| 39 | +
|
| 40 | +### Scheduler authentication & authorization command line options |
| 41 | +
|
| 42 | +When setting up authentication configuration, it should be made sure that kube-scheduler's authentication remains consistent with kube-api-server's authentication. |
| 43 | +If any request has missing authentication headers, |
| 44 | +the [authentication should happen through the kube-api-server allowing all authentication to be consistent in the cluster](/docs/tasks/extend-kubernetes/configure-aggregation-layer/#original-request-username-and-group). |
| 45 | +--> |
| 46 | +## kube-scheduler 配置 {#kube-scheduler-configuration} |
| 47 | + |
| 48 | +### 调度器身份认证与鉴权命令行选项 {#scheduler-authentication-authorization-command-line-options} |
| 49 | + |
| 50 | +在设置身份认证配置时,应确保 kube-scheduler 的身份认证配置与 kube-apiserver 的身份认证配置保持一致。 |
| 51 | +如果任一请求缺少身份认证头, |
| 52 | +则应[通过 kube-apiserver 进行身份认证以保证集群内的所有身份认证一致](/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/#original-request-username-and-group)。 |
| 53 | + |
| 54 | +<!-- |
| 55 | +- `authentication-kubeconfig`: Make sure to provide a proper kubeconfig so that the scheduler can retrieve authentication configuration options from the API Server. This kubeconfig file should be protected with strict file permissions. |
| 56 | +- `authentication-tolerate-lookup-failure`: Set this to `false` to make sure the scheduler _always_ looks up its authentication configuration from the API server. |
| 57 | +- `authentication-skip-lookup`: Set this to `false` to make sure the scheduler _always_ looks up its authentication configuration from the API server. |
| 58 | +- `authorization-always-allow-paths`: These paths should respond with data that is appropriate for anonymous authorization. Defaults to `/healthz,/readyz,/livez`. |
| 59 | +--> |
| 60 | +- `authentication-kubeconfig`:确保提供正确的 kubeconfig 文件,使调度器能从 API 服务器获取身份认证配置选项。 |
| 61 | + 这个 kubeconfig 文件应设置严格的文件权限以确保安全。 |
| 62 | +- `authentication-tolerate-lookup-failure`:设置为 `false`,确保调度器**始终**从 API 服务器查找其身份认证配置。 |
| 63 | +- `authentication-skip-lookup`:设置为 `false`,确保调度器**始终**从 API 服务器查找其身份认证配置。 |
| 64 | +- `authorization-always-allow-paths`:这些路径应返回适用于匿名鉴权的数据。默认值为 `/healthz,/readyz,/livez`。 |
| 65 | +<!-- |
| 66 | +- `profiling`: Set to `false` to disable the profiling endpoints which are provide debugging information but which should not be enabled on production clusters as they present a risk of denial of service or information leakage. The `--profiling` argument is deprecated and can now be provided through the [KubeScheduler DebuggingConfiguration](https://kubernetes.io/docs/reference/config-api/kube-scheduler-config.v1/#DebuggingConfiguration). Profiling can be disabled through the kube-scheduler config by setting `enableProfiling` to `false`. |
| 67 | +- `requestheader-client-ca-file`: Avoid passing this argument. |
| 68 | +--> |
| 69 | +- `profiling`:设置为 `false` 以禁用性能分析端点。性能分析端点可用于调试, |
| 70 | + 但在生产环境中启用会带来拒绝服务(DoS)或信息泄露风险。`--profiling` 参数已被弃用,现在可通过 |
| 71 | + [KubeScheduler DebuggingConfiguration](/zh-cn/docs/reference/config-api/kube-scheduler-config.v1/#DebuggingConfiguration) |
| 72 | + 提供。在 kube-scheduler 配置中,将 `enableProfiling` 设置为 `false` 即可禁用性能分析。 |
| 73 | +- `requestheader-client-ca-file`:避免使用此参数。 |
| 74 | + |
| 75 | +<!-- |
| 76 | +### Scheduler networking command line options |
| 77 | +
|
| 78 | +- `bind-address`: In most cases, the kube-scheduler does not need to be externally accessible. Setting the bind address to `localhost` is a secure practice. |
| 79 | +- `permit-address-sharing`: Set this to `false` to disable connection sharing through `SO_REUSEADDR`. `SO_REUSEADDR` can lead to reuse of terminated connections that are in `TIME_WAIT` state. |
| 80 | +- `permit-port-sharing`: Default `false`. Use the default unless you are confident you understand the security implications. |
| 81 | +--> |
| 82 | +### 调度器网络命令行选项 {#scheduler-networking-command-line-options} |
| 83 | + |
| 84 | +- `bind-address`:在大多数情况下,kube-scheduler 不需要被外部访问。 |
| 85 | + 将绑定地址设置为 `localhost` 是一种安全的做法。 |
| 86 | +- `permit-address-sharing`:设置为 `false` 以禁用通过 `SO_REUSEADDR` 的连接共享。 |
| 87 | + `SO_REUSEADDR` 可能导致重复使用处于 `TIME_WAIT` 状态的已终止的连接。 |
| 88 | +- `permit-port-sharing`:默认为 `false`。除非你非常了解相关的安全影响,否则建议使用默认值。 |
| 89 | + |
| 90 | +<!-- |
| 91 | +### Scheduler TLS command line options |
| 92 | +
|
| 93 | +- `tls-cipher-suites`: Always provide a list of preferred cipher suites. This ensures encryption never happens with insecure cipher suites. |
| 94 | +--> |
| 95 | +### 调度器 TLS 命令行选项 {#scheduler-tls-command-line-options} |
| 96 | + |
| 97 | +- `tls-cipher-suites`:始终提供一组首选的加密套件。这能确保加密时绝不会使用不安全的加密套件。 |
| 98 | + |
| 99 | +<!-- |
| 100 | +## Scheduling configurations for custom schedulers |
| 101 | +
|
| 102 | +When using custom schedulers based on the Kubernetes scheduling code, cluster administrators need to be careful with |
| 103 | +plugins that use the `queueSort`, `prefilter`, `filter`, or `permit` [extension points](/docs/reference/scheduling/config/#extension-points). |
| 104 | +These extension points control various stages of a scheduling process, and the wrong configuration can impact the kube-scheduler's behavior in your cluster. |
| 105 | +--> |
| 106 | +## 自定义调度器的调度配置 {#scheduling-configurations-for-custom-schedulers} |
| 107 | + |
| 108 | +在基于 Kubernetes 调度代码使用自定义调度器时, |
| 109 | +集群管理员需谨慎使用 `queueSort`、`prefilter`、`filter` 和 `permit` |
| 110 | +[扩展点](/zh-cn/docs/reference/scheduling/config/#extension-points)。 |
| 111 | +这些扩展点控制调度过程的不同阶段,配置错误可能会影响 kube-scheduler 在集群中的行为。 |
| 112 | + |
| 113 | +<!-- |
| 114 | +### Key considerations |
| 115 | +
|
| 116 | +- Exactly one plugin that uses the `queueSort` extension point can be enabled at a time. Any plugins that use `queueSort` should be scrutinized. |
| 117 | +- Plugins that implement the `prefilter` or `filter` extension point can potentially mark all nodes as unschedulable. This can bring scheduling of new pods to a halt. |
| 118 | +- Plugins that implement the `permit` extension point can prevent or delay the binding of a Pod. Such plugins should be thoroughly reviewed by the cluster administrator. |
| 119 | +--> |
| 120 | +### 关键注意事项 {#key-considerations} |
| 121 | + |
| 122 | +- 同一时间只能启用一个使用 `queueSort` 扩展点的插件。任何使用 `queueSort` 的插件都应经过严格审查。 |
| 123 | +- 实现 `prefilter` 或 `filter` 扩展点的插件可能会将所有节点标记为不可调度。这可能导致新 Pod 无法被调度。 |
| 124 | +- 实现 `permit` 扩展点的插件可能会阻止或延迟 Pod 的绑定。此类插件应由集群管理员彻底审查。 |
| 125 | + |
| 126 | +<!-- |
| 127 | +When using a plugin that is not one of the [default plugins](/docs/reference/scheduling/config/#scheduling-plugins), consider disabling the `queueSort`, `filter` and `permit` extension points as follows: |
| 128 | +--> |
| 129 | +如果你使用的是非[默认插件](/zh-cn/docs/reference/scheduling/config/#scheduling-plugins), |
| 130 | +考虑按以下方式禁用 `queueSort`、`filter` 和 `permit` 扩展点: |
| 131 | + |
| 132 | +<!-- |
| 133 | +```yaml |
| 134 | +apiVersion: kubescheduler.config.k8s.io/v1 |
| 135 | +kind: KubeSchedulerConfiguration |
| 136 | +profiles: |
| 137 | + - schedulerName: my-scheduler |
| 138 | + plugins: |
| 139 | + # Disable specific plugins for different extension points |
| 140 | + # You can disable all plugins for an extension point using "*" |
| 141 | + queueSort: |
| 142 | + disabled: |
| 143 | + - name: "*" # Disable all queueSort plugins |
| 144 | + # - name: "PrioritySort" # Disable specific queueSort plugin |
| 145 | + filter: |
| 146 | + disabled: |
| 147 | + - name: "*" # Disable all filter plugins |
| 148 | + # - name: "NodeResourcesFit" # Disable specific filter plugin |
| 149 | + permit: |
| 150 | + disabled: |
| 151 | + - name: "*" # Disables all permit plugins |
| 152 | + # - name: "TaintToleration" # Disable specific permit plugin |
| 153 | +``` |
| 154 | +--> |
| 155 | +```yaml |
| 156 | +apiVersion: kubescheduler.config.k8s.io/v1 |
| 157 | +kind: KubeSchedulerConfiguration |
| 158 | +profiles: |
| 159 | + - schedulerName: my-scheduler |
| 160 | + plugins: |
| 161 | + # 禁用不同扩展点的特定插件 |
| 162 | + # 你可以使用 "*" 禁用某个扩展点下的所有插件 |
| 163 | + queueSort: |
| 164 | + disabled: |
| 165 | + - name: "*" # 禁用所有 queueSort 插件 |
| 166 | + # - name: "PrioritySort" # 禁用特定 queueSort 插件 |
| 167 | + filter: |
| 168 | + disabled: |
| 169 | + - name: "*" # 禁用所有 filter 插件 |
| 170 | + # - name: "NodeResourcesFit" # 禁用特定 filter 插件 |
| 171 | + permit: |
| 172 | + disabled: |
| 173 | + - name: "*" # 禁用所有 permit 插件 |
| 174 | + # - name: "TaintToleration" # 禁用特定 permit 插件 |
| 175 | +``` |
| 176 | + |
| 177 | +<!-- |
| 178 | +This creates a scheduler profile ` my-custom-scheduler`. |
| 179 | +Whenever the `.spec` of a Pod does not have a value for `.spec.schedulerName`, the kube-scheduler runs for that Pod, |
| 180 | +using its main configuration, and default plugins. |
| 181 | +If you define a Pod with `.spec.schedulerName` set to `my-custom-scheduler`, the kube-scheduler runs but with a custom configuration; in that custom configuration, |
| 182 | +the `queueSort`, `filter` and `permit` extension points are disabled. |
| 183 | +If you use this KubeSchedulerConfiguration, and don't run any custom scheduler, |
| 184 | +and you then define a Pod with `.spec.schedulerName` set to `nonexistent-scheduler` |
| 185 | +(or any other scheduler name that doesn't exist in your cluster), no events would be generated for a pod. |
| 186 | +--> |
| 187 | +这会创建一个调度器配置文件 `my-custom-scheduler`。每当 Pod 的 `.spec` 中未设置 `.spec.schedulerName` 时, |
| 188 | +kube-scheduler 会使用主要配置和默认插件运行该 Pod。如果你定义的 Pod 将 `.spec.schedulerName` 设置为 |
| 189 | +`my-custom-scheduler`,kube-scheduler 会运行但使用自定义配置;在该自定义配置中, |
| 190 | +`queueSort`、`filter` 和 `permit` 这几个扩展点被禁用。 |
| 191 | +如果你使用这个 KubeSchedulerConfiguration,但未运行任何自定义调度器, |
| 192 | +然后你定义一个 Pod,其 `.spec.schedulerName` 设置为 `nonexistent-scheduler` |
| 193 | +(或任何其他在你的集群中不存在的调度器名称),那么 Pod 将不会生成任何事件。 |
| 194 | + |
| 195 | +<!-- |
| 196 | +## Disallow labeling nodes |
| 197 | +
|
| 198 | +A cluster administrator should ensure that cluster users cannot label the nodes. |
| 199 | +A malicious actor can use `nodeSelector` to schedule workloads on nodes where those workloads should not be present. |
| 200 | +--> |
| 201 | +## 不允许为节点添加标签 {#disallow-labeling-nodes} |
| 202 | + |
| 203 | +集群管理员应确保集群用户无法为节点添加标签。 |
| 204 | +恶意行为者可能会使用 `nodeSelector` 将工作负载调度到那些本不应运行这些工作负载的节点上。 |
0 commit comments