红帽全球峰会7.8. 高级安全配置集 Operator 任务
使用高级任务来启用指标、配置 Webhook 或限制系统调用。
7.8.1. 限制 seccomp 配置集中允许的 syscalls
默认情况下,Security Profiles Operator 不限制 seccomp 配置集中的 syscalls。您可以在 spod 配置中定义允许的 syscalls 列表。
流程
要定义
allowedSyscalls列表,请运行以下命令来调整spec参数:oc -n openshift-security-profiles patch spod spod --type merge \ -p '{"spec":{"allowedSyscalls": ["exit", "exit_group", "futex", "nanosleep"]}}'$ oc -n openshift-security-profiles patch spod spod --type merge \ -p '{"spec":{"allowedSyscalls": ["exit", "exit_group", "futex", "nanosleep"]}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Operator 将仅安装 seccomp 配置集,该配置集在允许列表中定义了 syscalls 的子集。所有不符合这个规则集的配置集都会被拒绝。
当在 spod 配置中修改了允许的 syscalls 列表时,Operator 将识别已安装的不合规的配置集,并自动删除它们。
7.8.2. 容器运行时的基本系统调用
您可以使用 baseProfileName 属性为给定运行时指定最少需要 syscalls 来启动一个容器。
流程
编辑
SeccompProfilekind 对象,并将baseProfileName: runc-v1.0.0添加到spec字段中:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.3. 在 spod 守护进程中启用内存优化
在 spod 守护进程内运行的控制器会在启用配置集记录时监视集群中的所有 pod。这会导致大型集群中的内存用量很高,从而导致 spod 守护进程内存不足或崩溃。
为防止崩溃,spod 守护进程只能配置为仅加载标记为配置集记录的 pod。
默认情况下不启用 SPO 内存优化。
流程
运行以下命令来启用内存优化:
oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableMemoryOptimization":true}}'$ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableMemoryOptimization":true}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 要记录 pod 的安全配置集,pod 必须使用
spo.x-k8s.io/enable-recording: "true"标记:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.4. 自定义守护进程资源要求
可以使用 spod 配置中的字段 daemonResourceRequirements 来调整守护进程容器的默认资源要求。
流程
要指定守护进程容器的内存和 cpu 请求和限值,请运行以下命令:
oc -n openshift-security-profiles patch spod spod --type merge -p \ '{"spec":{"daemonResourceRequirements": { \ "requests": {"memory": "256Mi", "cpu": "250m"}, \ "limits": {"memory": "512Mi", "cpu": "500m"}}}}'$ oc -n openshift-security-profiles patch spod spod --type merge -p \ '{"spec":{"daemonResourceRequirements": { \ "requests": {"memory": "256Mi", "cpu": "250m"}, \ "limits": {"memory": "512Mi", "cpu": "500m"}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.5. 为 spod 守护进程 pod 设置自定义优先级类名称
spod 守护进程 pod 的默认优先级类名称设置为 system-node-critical。通过在 priorityClassName 字段中设置值,可以在 spod 配置中配置自定义优先级类名称。
流程
运行以下命令来配置优先级类名称:
oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"priorityClassName":"my-priority-class"}}'$ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"priorityClassName":"my-priority-class"}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
securityprofilesoperatordaemon.openshift-security-profiles.x-k8s.io/spod patched
securityprofilesoperatordaemon.openshift-security-profiles.x-k8s.io/spod patchedCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.6. 使用指标
openshift-security-profiles 命名空间提供指标端点,这些端点由 kube-rbac-proxy 容器进行保护。所有指标都由 openshift-security-profiles 命名空间中的 metrics 服务公开。
Security Profiles Operator 包含一个集群角色和对应的绑定 spo-metrics-client,用于从集群中检索指标。有两个指标路径可用:
-
metrics.openshift-security-profiles/metrics: 用于控制器运行时指标 -
metrics.openshift-security-profiles/metrics-spod: 用于 Operator 守护进程指标
流程
要查看 metrics 服务的状态,请运行以下命令:
oc get svc/metrics -n openshift-security-profiles
$ oc get svc/metrics -n openshift-security-profilesCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE metrics ClusterIP 10.0.0.228 <none> 443/TCP 43s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE metrics ClusterIP 10.0.0.228 <none> 443/TCP 43sCopy to Clipboard Copied! Toggle word wrap Toggle overflow 要检索指标,请运行以下命令使用
openshift-security-profiles命名空间中的默认ServiceAccount令牌查询服务端点:oc run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest \ -n openshift-security-profiles metrics-test -- bash -c \ 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.openshift-security-profiles/metrics-spod'$ oc run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest \ -n openshift-security-profiles metrics-test -- bash -c \ 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.openshift-security-profiles/metrics-spod'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
HELP security_profiles_operator_seccomp_profile_total Counter about seccomp profile operations. TYPE security_profiles_operator_seccomp_profile_total counter
# HELP security_profiles_operator_seccomp_profile_total Counter about seccomp profile operations. # TYPE security_profiles_operator_seccomp_profile_total counter security_profiles_operator_seccomp_profile_total{operation="delete"} 1 security_profiles_operator_seccomp_profile_total{operation="update"} 2Copy to Clipboard Copied! Toggle word wrap Toggle overflow 要从不同的命名空间中检索指标,请运行以下命令将
ServiceAccount链接到spo-metrics-clientClusterRoleBinding:oc get clusterrolebinding spo-metrics-client -o wide
$ oc get clusterrolebinding spo-metrics-client -o wideCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS spo-metrics-client ClusterRole/spo-metrics-client 35m openshift-security-profiles/default
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS spo-metrics-client ClusterRole/spo-metrics-client 35m openshift-security-profiles/defaultCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.6.1. controller-runtime 指标
controller-runtime metrics 和 DaemonSet 端点 metrics-spod 提供了一组默认的指标。守护进程提供了其他指标,该指标始终以 security_profiles_operator_ 前缀。
| 指标键 | 可能的标签 | 类型 | 用途 |
|---|---|---|---|
|
|
| 计数 | seccomp 配置集操作的数量。 |
|
|
| 计数 | seccomp 配置集审计操作的数量。需要启用日志增强。 |
|
|
| 计数 | seccomp 配置集 bpf 操作的数量。需要启用 bpf 记录器。 |
|
|
| 计数 | seccomp 配置集数量。 |
|
|
| 计数 | SELinux 配置集操作的数量。 |
|
|
| 计数 | SELinux 配置集审核操作的数量。需要启用日志增强。 |
|
|
| 计数 | SELinux 配置集的数量错误。 |
7.8.7. 使用日志增强
Security Profiles Operator 包含一个日志功能,它默认是禁用的。日志增强容器以 privileged 权限运行,以便从本地节点读取审计日志。日志增强在主机 PID 命名空间 hostPID 中运行。
日志增强必须具有读取主机进程的权限。
流程
运行以下命令修补
spod配置以启用日志增强:oc -n openshift-security-profiles patch spod spod \ --type=merge -p '{"spec":{"enableLogEnricher":true}}'$ oc -n openshift-security-profiles patch spod spod \ --type=merge -p '{"spec":{"enableLogEnricher":true}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
securityprofilesoperatordaemon.security-profiles-operator.x-k8s.io/spod patched
securityprofilesoperatordaemon.security-profiles-operator.x-k8s.io/spod patchedCopy to Clipboard Copied! Toggle word wrap Toggle overflow 注意Security Profiles Operator 将自动重新部署
spod守护进程集。运行以下命令来查看审计日志:
oc -n openshift-security-profiles logs -f ds/spod log-enricher
$ oc -n openshift-security-profiles logs -f ds/spod log-enricherCopy to Clipboard Copied! Toggle word wrap Toggle overflow 输出示例
I0623 12:51:04.257814 1854764 deleg.go:130] setup "msg"="starting component: log-enricher" "buildDate"="1980-01-01T00:00:00Z" "compiler"="gc" "gitCommit"="unknown" "gitTreeState"="clean" "goVersion"="go1.16.2" "platform"="linux/amd64" "version"="0.4.0-dev" I0623 12:51:04.257890 1854764 enricher.go:44] log-enricher "msg"="Starting log-enricher on node: 127.0.0.1" I0623 12:51:04.257898 1854764 enricher.go:46] log-enricher "msg"="Connecting to local GRPC server" I0623 12:51:04.258061 1854764 enricher.go:69] log-enricher "msg"="Reading from file /var/log/audit/audit.log" 2021/06/23 12:51:04 Seeked /var/log/audit/audit.log - &{Offset:0 Whence:2}I0623 12:51:04.257814 1854764 deleg.go:130] setup "msg"="starting component: log-enricher" "buildDate"="1980-01-01T00:00:00Z" "compiler"="gc" "gitCommit"="unknown" "gitTreeState"="clean" "goVersion"="go1.16.2" "platform"="linux/amd64" "version"="0.4.0-dev" I0623 12:51:04.257890 1854764 enricher.go:44] log-enricher "msg"="Starting log-enricher on node: 127.0.0.1" I0623 12:51:04.257898 1854764 enricher.go:46] log-enricher "msg"="Connecting to local GRPC server" I0623 12:51:04.258061 1854764 enricher.go:69] log-enricher "msg"="Reading from file /var/log/audit/audit.log" 2021/06/23 12:51:04 Seeked /var/log/audit/audit.log - &{Offset:0 Whence:2}Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.7.1. 使用日志功能跟踪应用程序
您可以使用 Security Profiles Operator 日志增强来跟踪应用程序。
流程
要跟踪应用程序,请创建一个
SeccompProfile日志记录配置集:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 创建 pod 对象以使用配置集:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令检查日志增强的输出:
oc -n openshift-security-profiles logs -f ds/spod log-enricher
$ oc -n openshift-security-profiles logs -f ds/spod log-enricherCopy to Clipboard Copied! Toggle word wrap Toggle overflow 例 7.1. 输出示例
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.8.8. 配置 Webhook
配置集绑定和配置集记录对象可以使用 Webhook。配置集绑定和记录对象配置是 MutatingWebhookConfiguration CR,由 Security Profiles Operator 管理。
要更改 webhook 配置,spod CR 会公开一个 webhookOptions 字段,允许修改 failurePolicy、namespaceSelector 和 objectSelector 变量。这可让您将 webhook 设置为 "soft-fail",或将它们限制为命名空间的子集,以便即使 Webhook 失败,其他命名空间或资源不受影响。
流程
通过创建以下补丁文件,将
record.spo.ioWebhook 配置设置为仅记录带有spo-record=true标签的 pod:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令来修补
spod/spod实例:oc -n openshift-security-profiles patch spod \ spod -p $(cat /tmp/spod-wh.patch) --type=merge$ oc -n openshift-security-profiles patch spod \ spod -p $(cat /tmp/spod-wh.patch) --type=mergeCopy to Clipboard Copied! Toggle word wrap Toggle overflow 要查看生成的
MutatingWebhookConfiguration对象,请运行以下命令:oc get MutatingWebhookConfiguration \ spo-mutating-webhook-configuration -oyaml$ oc get MutatingWebhookConfiguration \ spo-mutating-webhook-configuration -oyamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}