【发布时间】:2021-11-23 08:56:45
【问题描述】:
我正在使用 Google Cloud Build 来 CI/CD 我的应用程序,它依赖于多个 cronjobs。我构建的第一步是这样的:
# validate k8s manifests
- id: validate-k8s
name: quay.io/fairwinds/polaris:1.2.1
entrypoint: polaris
args:
- audit
- --audit-path
- ./devops/k8s/cronjobs/worker-foo.yaml
- --set-exit-code-on-danger
- --set-exit-code-below-score
- "87"
我使用Polaris 来执行最佳安全实践。对于每个 cronjob,我都有一个部署清单,如下所示:
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: worker-foo
namespace: foo
spec:
schedule: "30 1-5,20-23 * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
backoffLimit: 3
template:
spec:
hostIPC: false
hostPID: false
hostNetwork: false
volumes:
- name: foo-sa
secret:
secretName: foo-sa
- name: foo-secrets
secret:
secretName: foo-secrets
- name: tmp-pod
emptyDir: {}
restartPolicy: OnFailure
containers:
- name: worker-foo
image: gcr.io/bar/foo:latest
imagePullPolicy: "Always"
resources:
requests:
memory: "512M"
cpu: "50m"
limits:
memory: "6000M"
cpu: "500m"
volumeMounts:
- name: foo-sa
mountPath: /var/secrets/foo-sa
- mountPath: /tmp/pod
name: tmp-pod
command: ["/bin/bash", "-c"]
args:
- |
timeout --kill-after=10500 10500 python foo/foo/foo.py --prod;
我发现heremanifest文件中HostIPC参数的层次结构是“spec.jobTemplate.spec.template.spec.HostIPC”,但似乎不符合Polaris验证:
Step #0 - "validate-k8s": "Results": [
Step #0 - "validate-k8s": {
Step #0 - "validate-k8s": "Name": "worker-foo",
Step #0 - "validate-k8s": "Namespace": "foo",
Step #0 - "validate-k8s": "Kind": "CronJob",
Step #0 - "validate-k8s": "Results": {},
Step #0 - "validate-k8s": "PodResult": {
Step #0 - "validate-k8s": "Name": "",
Step #0 - "validate-k8s": "Results": {
Step #0 - "validate-k8s": "hostIPCSet": {
Step #0 - "validate-k8s": "ID": "hostIPCSet",
Step #0 - "validate-k8s": "Message": "Host IPC is not configured",
Step #0 - "validate-k8s": "Success": true,
Step #0 - "validate-k8s": "Severity": "danger",
Step #0 - "validate-k8s": "Category": "Security"
Step #0 - "validate-k8s": },
Step #0 - "validate-k8s": "hostNetworkSet": {
Step #0 - "validate-k8s": "ID": "hostNetworkSet",
Step #0 - "validate-k8s": "Message": "Host network is not configured",
Step #0 - "validate-k8s": "Success": true,
Step #0 - "validate-k8s": "Severity": "warning",
Step #0 - "validate-k8s": "Category": "Networking"
Step #0 - "validate-k8s": },
Step #0 - "validate-k8s": "hostPIDSet": {
Step #0 - "validate-k8s": "ID": "hostPIDSet",
Step #0 - "validate-k8s": "Message": "Host PID is not configured",
Step #0 - "validate-k8s": "Success": true,
Step #0 - "validate-k8s": "Severity": "danger",
Step #0 - "validate-k8s": "Category": "Security"
Step #0 - "validate-k8s": }
Step #0 - "validate-k8s": },
我在这里缺少什么?我应该如何声明 HostIPC 和 HostPID 参数以满足 Polaris 验证?
【问题讨论】:
标签: docker kubernetes google-cloud-platform