tencent cloud

文档反馈

策略管理

最后更新时间:2024-05-06 15:43:02

    简介

    原生 Kubernetes 存在级联删除机制,删除一个资源时会自动删除与之相关的其他资源,例如删除 Namespace 时会自动删除 Namespace 下所有的 Pod、Service、Configmap 等关联资源,可能导致业务故障。
    容器服务(Tencent Kubernetes Engine,TKE)新增了“策略管理”模块,通过系统预置策略的方式,防止误删除引起业务故障。

    策略说明

    策略分类

    集群删除防护:在删除集群时,如果集群中仍然存在节点,则不允许删除。
    集群内资源删除防护:在删除 TKE 集群内的各类资源时,如果仍然存在依赖资源,则不允许删除。

    支持边界

    集群删除防护策略:支持所有版本的 TKE 标准集群和 TKE Serverless 集群,暂不支持注册集群和边缘集群。
    集群内资源删除防护策略:目前支持1.16及以上版本的 TKE 标准集群和 TKE Serverless 集群,暂不支持注册集群和边缘集群。

    策略类型

    基线策略:强制开启,不可关闭。
    优选策略:默认开启,用户可关闭。
    可选策略:默认关闭,用户可开启。

    策略库

    TKE 策略

    类型
    策略名称
    策略描述
    策略类型
    集群策略
    集群中存在节点则不允许删除。
    集群中存在普通节点、原生节点、注册节点,需先下线节点后再删除集群。
    基线策略
    命名空间策略
    命名空间下存在工作负载、服务与路由、存储对象则不允许删除。
    命名空间内如果存在 Pod、Service、Ingress、Pvc,清空上述资源后,再删除 Namespace。
    优选策略
    配置相关策略
    CRD 存在关联的 CR 资源则不允许删除。
    CRD 定义了 CR 资源,需要先删除 CR 资源,再删除 CRD。
    优选策略

    OPA 标准库策略

    类型
    策略名称
    策略描述
    策略类型
    General
    k8sallowedrepos
    Requires container images to begin with a string from the specified list.
    可选策略
    General
    k8spspautomountserviceaccounttokenpod
    Controls the ability of any Pod to enable automountServiceAccountToken.
    可选策略
    General
    k8sblockendpointeditdefaultrole
    Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints.
    可选策略
    General
    k8sblockloadbalancer
    Disallows all Services with type LoadBalancer.
    可选策略
    General
    k8sblocknodeport
    Disallows all Services with type NodePort.
    可选策略
    General
    k8sblockwildcardingress
    Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services.
    可选策略
    General
    k8scontainerlimits
    Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
    可选策略
    General
    k8scontainerrequests
    Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values.
    可选策略
    General
    k8scontainerratios
    Sets a maximum ratio for container resource limits to requests.
    可选策略
    General
    k8srequiredresources
    Requires containers to have defined resources set.
    可选策略
    General
    k8sdisallowanonymous
    Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
    可选策略
    General
    k8sdisallowedtags
    Requires container images to have an image tag different from the ones in the specified list.
    可选策略
    General
    k8sexternalips
    Restricts Service externalIPs to an allowed list of IP addresses.
    可选策略
    General
    k8simagedigests
    Requires container images to contain a digest.
    可选策略
    
    General
    noupdateserviceaccount
    Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode.
    可选策略
    
    General
    k8sreplicalimits
    Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
    可选策略
    
    General
    k8srequiredannotations
    Requires resources to contain specified annotations, with values matching provided regular expressions.
    可选策略
    
    General
    k8srequiredlabels
    Requires resources to contain specified labels, with values matching provided regular expressions.
    可选策略
    General
    k8srequiredprobes
    Requires Pods to have readiness and/or liveness probes.
    可选策略
    Pod Security Policy
    k8spspallowprivilegeescalationcontainer
    Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spspapparmor
    Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spspcapabilities
    Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spspflexvolumes
    Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spspforbiddensysctls
    Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden.
    可选策略
    Pod Security Policy
    k8spspfsgroup
    Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spsphostfilesystem
    Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spsphostnamespace
    Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spsphostnetworkingports
    Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spspprivilegedcontainer
    Controls the ability of any container to enable privileged mode.
    可选策略
    Pod Security Policy
    k8spspprocmount
    Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy.
    可选策略
    Pod Security Policy
    k8spspreadonlyrootfilesystem
    Requires the use of a read-only root file system by pod containers.
    可选策略
    Pod Security Policy
    k8spspseccomp
    Controls the seccomp profile used by containers.
    可选策略
    Pod Security Policy
    k8spspselinuxv2
    Defines an allow-list of seLinuxOptions configurations for pod containers.
    可选策略
    Pod Security Policy
    k8spspallowedusers
    Controls the user and group IDs of the container and some volumes.
    可选策略
    Pod Security Policy
    k8spspvolumetypes
    Restricts mountable volume types to those specified by the user.
    可选策略

    操作说明

    开启/关闭策略

    1. 登录 容器服务控制台,选择左侧导航栏中的集群
    2. 在集群管理页面,选择目标集群 ID,进入集群的基本信息页面。
    3. 在左侧导航中选择策略管理,进入策略管理页面选择策略,单击开启/关闭。关闭策略需要二次确认,开启则不需要。如下图所示:
    
    
    

    验证策略效果

    以集群删除策略为例,创建 TKE 标准集群,验证集群在存在节点情况下删除请求是否会被拦截。
    1. 创建有节点的 TKE 标准集群,详细步骤请参见 创建集群
    2. 发起删除集群请求。
    通过控制台删除
    调用云 API 删除
    1. 删除集群,详细步骤请参见 删除集群
    2. 窗口提示需要先清空节点后,方可继续删除集群。如下图所示:
    
    
    
    1. 调用云 API 删除,调用方式请参见 API 文档 删除集群
    2. 删除集群接口调用失败,错误信息返回中包含集群中存在的节点清单。如下图所示:
    
    
    
    3. 策略管理页面,单击关联事件的数字,查看拦截事件信息。如下图所示:
    
    
    
    联系我们

    联系我们,为您的业务提供专属服务。

    技术支持

    如果你想寻求进一步的帮助,通过工单与我们进行联络。我们提供7x24的工单服务。

    7x24 电话支持