Security Context
Pod及容器的安全上下文
◼ 一组用来决定容器是如何创建和运行的约束条件,这些条件代表创建和运行容器时使用的运行时参数
◼ 给了用户为Pod或容器定义特权和访问控制机制
Pod和容器的安全上下文设置主要包括以下几个方面
◼ 自主访问控制DAC
◼ 容器进程运行身份及资源访问权限 *
◼ Linux Capabilities *
◼ seccomp
◼ AppArmor
◼ SELinux
◼ Privileged Mode
◼ Privilege Escalation
SecurityContext:
配置在两个级别:
Pod级别:对当前Pod中所有容器都生效;
Container级别:仅对当前容器生效;
pods.spec.securityContext:
以指定的身份运行进程:
runAsGroup
runAsUser
以非root的身份运行进程:
runAsNonRoot
设定指定的内核参数值:
sysctls
pods.spec.containers[*].securityContext
以指定的身份运行进程:
runAsGroup
runAsUser
以非root的身份运行进程:
runAsNonRoot
设定Capability:
capabilities:
用户级别:
root
non root
Linux把内核中的管理权限,分成了多个类别,并给每个类别一个名称;这种类别,称为Capability;
是否运行为特权容器:
privileged
是否设定根文件系统为只读:
readOnlyRootFilesystem
seccon-capability
apiVersion: v1
kind: Pod
metadata:
name: demoapp-seccon-capability
namespace: default
labels:
app: demoapp
version: v1.0
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
drop:
- CHOWN
restartPolicy: OnFailure
seccon-privileged
apiVersion: v1
kind: Pod
metadata:
name: demoapp-seccont-privileged
namespace: default
labels:
app: demoapp
version: v1.0
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
restartPolicy: OnFailure
seccon-runas
apiVersion: v1
kind: Pod
metadata:
name: demoapp-sc-runas
namespace: default
labels:
app: demoapp
version: v1.0
spec:
containers:
- name: demoapp
image: ikubernetes/demoapp:v1.0
imagePullPolicy: IfNotPresent
env:
- name: PORT
value: "8080"
securityContext:
runAsUser: 1001
runAsGroup: 1001
restartPolicy: OnFailure
浙公网安备 33010602011771号