K8S基本操作-43-Secure Context 設置容器為 no-root 用戶與 Capability
Secure Context 設置容器為 no-root 用戶
我們可以加入以下這段:
spec:
securityContext:
runAsUser: 1010
加完之後狀況如下:
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
也可以寫在Container 裡頭:
apiVersion: v1
kind: Pod
metadata:
name: multi-pod
spec:
containers:
- image: ubuntu
name: web
command: ["sleep", "5000"]
securityContext:
runAsUser: 1002
- image: ubuntu
name: sidecar
command: ["sleep", "5000"]
這樣就會以非 Root 的 User ID 1010 執行容器了。
Capability
代表容器可對於主機的存取權限。
我們在下面加上存取主機系統時間與網路的權限如下:
securityContext:
capabilities:
add: ["SYS_TIME","NET_ADMIN "]
整體大致是這樣:
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
securityContext:
capabilities:
add: ["SYS_TIME","NET_ADMIN "]