安全性与合规性

Red Hat OpenShift Service on AWS 4

在 AWS 集群上配置安全性上下文约束

Red Hat OpenShift Documentation Team

摘要

本文档提供有关配置安全性上下文约束的说明。

第 1 章 审计日志

Red Hat OpenShift Service on AWS 审计提供一组安全相关的按时间排序的记录,记录各个用户、管理员或其他系统组件影响系统的一系列活动。

1.1. 关于 API 审计日志

审计在 API 服务器级别运作,记录所有传入到服务器的请求。每个审计日志包含以下信息:

表 1.1. 审计日志字段

字段描述

level

生成事件的审计级别。

auditID

为每个请求生成的唯一审计 ID。

stage

生成此事件实例时请求处理的阶段。

requestURI

客户端向服务器发送的请求 URI。

verb

与请求相关联的 Kubernetes 操作动词。对于非资源请求,这是小写 HTTP 方法。

user

经过身份验证的用户信息。

impersonatedUser

可选。如果请求模拟了另一个用户,则为被模拟的用户信息。

sourceIPs

可选。源 IP,请求发起的源和任何中间代理。

userAgent

可选。客户端报告的用户代理字符串。请注意,用户代理由客户端提供,且必须不可信任。

objectRef

可选。这个请求的目标对象引用。这不适用于 List 类型请求,或者非资源请求。

responseStatus

可选。响应的状态,即使 ResponseObject 不是 Status 类型也会生成。对于成功的响应,这只会包括代码。对于非状态类型错误响应,这将自动生成出错信息。

requestObject

可选。请求中的 API 对象,采用 JSON 格式。在进行 version conversion、defaulting、admission 或 merging 之前,在请求中的 RequestObject 记录(可能会被转换为 JSON 格式)。这是一个外部版本化的对象类型,可能自身并不是一个有效的对象。对于非资源请求,这会被忽略,且只在 Request 级别或更高级别中被记录。

responseObject

可选。响应中返回的 API 对象,使用 JSON 格式。在转换为外部类型后,ResponseObject 被记录,并被序列化为 JSON 数据。在非资源请求中会省略它,且仅在 Response 级别中记录。

requestReceivedTimestamp

请求到达 API 服务器的时间。

stageTimestamp

请求到达当前审计阶段的时间。

annotations

可选。一个无结构的键值映射,它存储在一个审计事件中,可以通过在请求服务链中调用的插件来设置它,包括认证、授权和准入插件。请注意,这些注解用于审计事件,且与所提交对象的 metadata.annotations 没有关联。标识信息组件的键应该是唯一的以避免名称冲突,例如 podsecuritypolicy.admission.k8s.io/policy。值应该较短。注解包含在 Metadata 级别中。

Kubernetes API 服务器的输出示例: 

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"ad209ce1-fec7-4130-8192-c4cc63f1d8cd","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-controller-manager/configmaps/cert-recovery-controller-lock?timeout=35s","verb":"update","user":{"username":"system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client","uid":"dd4997e3-d565-4e37-80f8-7fc122ccd785","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-controller-manager","system:authenticated"]},"sourceIPs":["::1"],"userAgent":"cluster-kube-controller-manager-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"openshift-kube-controller-manager","name":"cert-recovery-controller-lock","uid":"5c57190b-6993-425d-8101-8337e48c7548","apiVersion":"v1","resourceVersion":"574307"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-04-02T08:27:20.200962Z","stageTimestamp":"2020-04-02T08:27:20.206710Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:kube-controller-manager-recovery\" of ClusterRole \"cluster-admin\" to ServiceAccount \"localhost-recovery-client/openshift-kube-controller-manager\""}}

1.2. 收集审计日志

您可以使用 must-gather 工具来收集审计日志以调试集群,您可以检查或发送到红帽支持。

流程

  1. 使用 -- /usr/bin/gather_audit_logs 运行 oc adm must-gather 命令: 

    $ oc adm must-gather -- /usr/bin/gather_audit_logs

  2. 从工作目录中刚刚创建的 must-gather 目录创建一个压缩文件。例如,在使用 Linux 操作系统的计算机上运行以下命令: 

    $ tar cvaf must-gather.tar.gz must-gather.local.472290403699006248 1
    1
    must-gather-local.472290403699006248 替换为实际目录名称。
  3. 红帽客户门户中为您的问题单附上压缩文件。

法律通告

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.