K8s privileged

1 개요

k8s privileged

쿠버네티스 privileged

<source lang='yaml'> apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata:

 name: example

spec:

 privileged: false  # Don't allow privileged pods!
 # The rest fills in some required fields.
 seLinux:
   rule: RunAsAny
 supplementalGroups:
   rule: RunAsAny
 runAsUser:
   rule: RunAsAny
 fsGroup:
   rule: RunAsAny
 volumes:
 - '*'

</syntaxhighlight> <source lang='yaml'> ... spec:

 template:
   spec:
     initContainers:
     - name: configure-sysctl
       image: busybox
       securityContext:
         runAsUser: 0
         privileged: true
       command: ["sysctl", "-w", "vm.max_map_count=262144"]

</syntaxhighlight> <source lang='yaml'> ... spec:

 template:
   spec:
     initContainers:
     - name: init-sysctl
       image: busybox:1.27.2
       command:
       - sysctl
       - -w
       - vm.max_map_count=262144
       securityContext:
         privileged: true

</syntaxhighlight>

2 같이 보기

• k8s 초기화 컨테이너
• k8s securityContext
• k8s PodSecurityPolicy
• k8s allowPrivilegeEscalation
• Privileged containers are not allowed

3 참고

• https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
• https://kubernetes.io/docs/concepts/policy/pod-security-policy/#create-a-policy-and-a-pod