위키
포럼
도구
바뀐글
랜덤

"K8s privileged"의 두 판 사이의 차이

잔글 (Jmnote님이 쿠버네티스 privileged 문서를 K8s privileged 문서로 이동하면서 넘겨주기를 덮어썼습니다)
 
(같은 사용자의 중간 판 2개는 보이지 않습니다)
3번째 줄: 3번째 줄:
;쿠버네티스 privileged
;쿠버네티스 privileged


<syntaxhighlight lang='yaml' line highlight='6'>
==PodSpec==
apiVersion: policy/v1beta1
<syntaxhighlight lang='yaml' line highlight='11'>
kind: PodSecurityPolicy
kind: Deployment
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
</syntaxhighlight>
<syntaxhighlight lang='yaml' line highlight='10'>
...
...
spec:
spec:
35번째 줄: 18번째 줄:
         command: ["sysctl", "-w", "vm.max_map_count=262144"]
         command: ["sysctl", "-w", "vm.max_map_count=262144"]
</syntaxhighlight>
</syntaxhighlight>
<syntaxhighlight lang='yaml' line highlight='13'>
<syntaxhighlight lang='yaml' line highlight='14'>
kind: Deployment
...
...
spec:
spec:
49번째 줄: 33번째 줄:
         securityContext:
         securityContext:
           privileged: true
           privileged: true
</syntaxhighlight>
==<del>PodSecurityPolicy</del>==
<syntaxhighlight lang='yaml' line highlight='6'>
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
</syntaxhighlight>
</syntaxhighlight>


55번째 줄: 60번째 줄:
* [[k8s 초기화 컨테이너]]
* [[k8s 초기화 컨테이너]]
* [[k8s securityContext]]
* [[k8s securityContext]]
* [[k8s PodSecurityPolicy]]
* <del>[[k8s PodSecurityPolicy]]</del>
* [[k8s allowPrivilegeEscalation]]
* [[k8s allowPrivilegeEscalation]]
* [[k8s Privileged containers are not allowed]]
* [[k8s Privileged containers are not allowed]]

2024년 6월 8일 (토) 22:44 기준 최신판

1 개요[ | ]

k8s privileged
쿠버네티스 privileged

2 PodSpec[ | ]

kind: Deployment
...
spec:
  template:
    spec:
      initContainers:
      - name: configure-sysctl
        image: busybox
        securityContext:
          runAsUser: 0
          privileged: true
        command: ["sysctl", "-w", "vm.max_map_count=262144"]

kind: Deployment
...
spec:
  template:
    spec:
      initContainers:
      - name: init-sysctl
        image: busybox:1.27.2
        command:
        - sysctl
        - -w
        - vm.max_map_count=262144
        securityContext:
          privileged: true

3 PodSecurityPolicy[ | ]

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

4 같이 보기[ | ]

5 참고[ | ]

원본 주소 "https://zetawiki.com/w/index.php?title=K8s_privileged&oldid=905016"
문서 댓글 ({{ doc_comments.length }})
{{ comment.name }} {{ comment.created | snstime }}