"K8s privileged"의 두 판 사이의 차이

(새 문서: ==개요== ;k8s privileged ;쿠버네티스 privileged <source lang='yaml'> apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example spec: privileged: false #...)
 
 
(사용자 2명의 중간 판 13개는 보이지 않습니다)
3번째 줄: 3번째 줄:
;쿠버네티스 privileged
;쿠버네티스 privileged


<source lang='yaml'>
==PodSpec==
apiVersion: policy/v1beta1
<syntaxhighlight lang='yaml' line highlight='11'>
kind: PodSecurityPolicy
kind: Deployment
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
</source>
<source lang='yaml'>
...
...
spec:
spec:
34번째 줄: 17번째 줄:
           privileged: true
           privileged: true
         command: ["sysctl", "-w", "vm.max_map_count=262144"]
         command: ["sysctl", "-w", "vm.max_map_count=262144"]
</source>
</syntaxhighlight>
<source lang='yaml'>
<syntaxhighlight lang='yaml' line highlight='14'>
kind: Deployment
...
...
spec:
spec:
49번째 줄: 33번째 줄:
         securityContext:
         securityContext:
           privileged: true
           privileged: true
</source>
</syntaxhighlight>
 
==<del>PodSecurityPolicy</del>==
<syntaxhighlight lang='yaml' line highlight='6'>
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
</syntaxhighlight>


==같이 보기==
==같이 보기==
{{z컬럼3|
* [[k8s 초기화 컨테이너]]
* [[k8s 초기화 컨테이너]]
* [[k8s PodSecurityPolicy]]
* [[k8s securityContext]]
* <del>[[k8s PodSecurityPolicy]]</del>
* [[k8s allowPrivilegeEscalation]]
* [[k8s Privileged containers are not allowed]]
}}


==참고==
==참고==

2024년 6월 8일 (토) 22:44 기준 최신판

1 개요[ | ]

k8s privileged
쿠버네티스 privileged

2 PodSpec[ | ]

kind: Deployment
...
spec:
  template:
    spec:
      initContainers:
      - name: configure-sysctl
        image: busybox
        securityContext:
          runAsUser: 0
          privileged: true
        command: ["sysctl", "-w", "vm.max_map_count=262144"]
kind: Deployment
...
spec:
  template:
    spec:
      initContainers:
      - name: init-sysctl
        image: busybox:1.27.2
        command:
        - sysctl
        - -w
        - vm.max_map_count=262144
        securityContext:
          privileged: true

3 PodSecurityPolicy[ | ]

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

4 같이 보기[ | ]

5 참고[ | ]

문서 댓글 ({{ doc_comments.length }})
{{ comment.name }} {{ comment.created | snstime }}