主页

索引

模块索引

搜索页面

3.4.20. securityContext选项

备注

以下实例都是container级别,同样的操作也可以通过「pod.spec.securityContext」属性设置为pid级别。

Running a container as a specific user

apiVersion: v1
kind: Pod
metadata:
  name: pod-as-user-guest 
spec:
  containers: 
  - name: main
    image: alpine
    command: ["/bin/sleep", "999999"]
    securityContext:
      runAsUser: 405

使用:

$ kubectl exec pod-as-user-guest id
uid=405(guest) gid=100(users)

Preventing a container from running as root

apiVersion: v1
kind: Pod
metadata:
  name: pod-run-as-non-root
spec:
  containers: 
  - name: main
    image: alpine
    command: ["/bin/sleep", "999999"]
    securityContext:
      runAsNonRoot: true

如果使用root用户就会报错:

$ kubectl get po pod-run-as-non-root
NAME                    READY     STATUS
pod-run-as-non-root     0/1       container has runAsNonRoot and image will run as root

Running pods in privileged mode

apiVersion: v1
kind: Pod
metadata:
  name: pod-privileged 
spec:
  containers: 
    - name: main
      image: alpine
      command: ["/bin/sleep", "999999"]
      securityContext:
        privileged: true

List of available devices in a non-privileged pod:

$ kubectl exec -it pod-with-defaults ls /dev
core    null   fd      ptmx
full     pts    fuse     random
mqueue   shm    stderr    urandom
stdin    zero   stdout    termination-log
tty

List of available devices in a privileged pod:

$ kubectl exec -it pod-privileged ls /dev
autofs              snd                 tty46
bsg                 sr0                 tty47
btrfs-control     stderr    core    stdin
cpu     stdout    cpu_dma_latency     termination-log
fd    tty   full  tty0    fuse    tty1    hpet
tty10     hwrng     tty11     tty48     tty49
tty5    tty50     tty51     tty52     tty53
tty54 tty55 ...

备注

结论: 使用privileged选项后可以使用/dev下多个特殊文件,如运行在Raspberry Pi上的Pod上控制LEDs

Adding individual kernel capabilities to a container

apiVersion: v1
kind: Pod
metadata:
  name: pod-add-settime-capability 
spec:
  containers: 
  - name: main
    image: alpine
    command: ["/bin/sleep", "999999"]
    securityContext:
      capabilities:
        add:
        - SYS_TIME

默认不能修改时间:

$ kubectl exec -it pod-with-defaults -- date +%T -s "12:00:00"
date: can not set date: Operation not permitted

增加配置add「SYS_TIME」权限后就可以了:

$ kubectl exec -it pod-add-settime-capability -- date +%T -s "12:00:00"
12:00:00

Dropping capabilities from a container

apiVersion: v1
kind: Pod
metadata:
  name: pod-drop-chown-capability 
spec:
  containers: 
  - name: main
    image: alpine
    command: ["/bin/sleep", "999999"]
    securityContext:
      capabilities:
        drop:
          - CHOWN

默认有修改文件所有者的权限:

$ kubectl exec pod-with-defaults chown guest /tmp
$ kubectl exec pod-with-defaults -- ls -la / | grep tmp
drwxrwxrwt 2 guest root 6 May 25 15:18 tmp

增加配置drop「CHOWN」权限后就不可以了:

$ kubectl exec pod-drop-chown-capability chown guest /tmp
chown: /tmp: Operation not permitted

Preventing processes from writing to the container’s filesystem

apiVersion: v1
kind: Pod
metadata:
  name: pod-with-readonly-filesystem
spec: 
  containers: 
  - name: main
    image: alpine
    command: ["/bin/sleep", "999999"]
    securityContext:
      readOnlyRootFilesystem: true 
    volumeMounts:
    - name: my-volume
      mountPath: /volume
      readOnly: false
  volumes:
  - name: my-volume
    emptyDir:{}

增加配置「readOnlyRootFilesystem」后:

$ kubectl exec -it pod-with-readonly-filesystem touch /new-file
touch: /new-file: Read-only file system

但还是可以创建mount的目录:

$ kubectl exec -it pod-with-readonly-filesystem touch /volume/newfile
$ kubectl exec -it pod-with-readonly-filesystem -- ls -la /volume/newfile
-rw-r--r-- 1 root root 0 May 7 19:11 /mountedVolume/newfile

主页

索引

模块索引

搜索页面