Merge pull request #33216 from my-git9/examplesecurity

k8s-ci-robot · web-flow · commit cdabbdab460c · 2022-04-26T19:40:10.000-07:00
[zh] Sync security/*.sh
diff --git a/content/zh/examples/security/kind-with-cluster-level-baseline-pod-security.sh b/content/zh/examples/security/kind-with-cluster-level-baseline-pod-security.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+mkdir -p /tmp/pss
+cat <<EOF > /tmp/pss/cluster-level-pss.yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1beta1
+    kind: PodSecurityConfiguration
+    defaults:
+      enforce: "baseline"
+      enforce-version: "latest"
+      audit: "restricted"
+      audit-version: "latest"
+      warn: "restricted"
+      warn-version: "latest"
+    exemptions:
+      usernames: []
+      runtimeClasses: []
+      namespaces: [kube-system]
+EOF
+cat <<EOF > /tmp/pss/cluster-config.yaml
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+        extraArgs:
+          admission-control-config-file: /etc/config/cluster-level-pss.yaml
+        extraVolumes:
+          - name: accf
+            hostPath: /etc/config
+            mountPath: /etc/config
+            readOnly: false
+            pathType: "DirectoryOrCreate"
+  extraMounts:
+  - hostPath: /tmp/pss
+    containerPath: /etc/config
+    # optional: if set, the mount is read-only.
+    # default false
+    readOnly: false
+    # optional: if set, the mount needs SELinux relabeling.
+    # default false
+    selinuxRelabel: false
+    # optional: set propagation mode (None, HostToContainer or Bidirectional)
+    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
+    # default None
+    propagation: None
+EOF
+kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.23.0 --config /tmp/pss/cluster-config.yaml
+kubectl cluster-info --context kind-psa-with-cluster-pss
+# 等待 15 秒（任意）ServiceAccount 准入控制器可用
+sleep 15
+cat <<EOF > /tmp/pss/nginx-pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+    - image: nginx
+      name: nginx
+      ports:
+        - containerPort: 80
+EOF
+kubectl apply -f /tmp/pss/nginx-pod.yaml
diff --git a/content/zh/examples/security/kind-with-namespace-level-baseline-pod-security.sh b/content/zh/examples/security/kind-with-namespace-level-baseline-pod-security.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+# 直到 v1.23 发布，kind 节点镜像需要从 k/k master 分支构建
+# 参考：https://kind.sigs.k8s.io/docs/user/quick-start/#building-images
+kind create cluster --name psa-ns-level --image kindest/node:v1.23.0
+kubectl cluster-info --context kind-psa-ns-level
+# 等待 15 秒（任意）ServiceAccount 准入控制器可用
+sleep 15
+kubectl create ns example
+kubectl label --overwrite ns example \
+  pod-security.kubernetes.io/enforce=baseline \
+  pod-security.kubernetes.io/enforce-version=latest \
+  pod-security.kubernetes.io/warn=restricted \
+  pod-security.kubernetes.io/warn-version=latest \
+  pod-security.kubernetes.io/audit=restricted \
+  pod-security.kubernetes.io/audit-version=latest
+cat <<EOF > /tmp/pss/nginx-pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+    - image: nginx
+      name: nginx
+      ports:
+        - containerPort: 80
+EOF
+kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
