0
0

Kubernetes 污点、容忍策略、优先级与抢占、Pod安全

污点

污点使结点与pod产生排斥与标签相反

污点策略是通过嵌入合在键值对上的污点标签进行声明

污点标签必须绑定在键值对上,格式为:key=value:[污点标签]

taint翻译就是污点的意思

污点标签必须绑定在键值对上,格式为:key=value:[污点标签]

查看污点标签

  1.     kubectl describe nodes [结点名]

设置污点标签

  1.     kubectl taint node [结点名字] key=value:污点标签

删除污点标签

  1.     kubectl taint node [结点名字] key=value:污点标签-

污点标签

结点的调度是需要schedule筛选、打分的

  1.     PreferNoSchedule尽量不调度,只要不剩它一个就不被调度
  3.     NoSchedule不调度,筛选都进不去
  5.     NoExecute驱逐结点

PreferNoSchedule 、NoSchedule这两个只对新建的pod有效.

NoExecute对之前之后的pod都有效,删除、

管理污点标签

  1. # 查看污点策略
  2. [root@master ~]# kubectl describe nodes|grep Taints
  3. Taints:             node-role.kubernetes.io/master:NoSchedule
  4. Taints:             <none>
  5. Taints:             <none>
  6. Taints:             <none>
  8. # node-0001 设置污点策略 PreferNoSchedule
  9. [root@master ~]# kubectl taint node node-0001 k1=v1:PreferNoSchedule
  10. node/node-0001 tainted
  11. # node-0002 设置污点策略 NoSchedule
  12. [root@master ~]# kubectl taint node node-0002 k2=v2:NoSchedule
  13. node/node-0002 tainted
  15. [root@master ~]# kubectl describe nodes |grep Taints
  16. Taints:             node-role.kubernetes.io/master:NoSchedule
  17. Taints:             k1=v1:PreferNoSchedule
  18. Taints:             k2=v2:NoSchedule
  19. Taints:             <none>

Pod资源文件

  1. # 查看污点策略
  2. [root@master ~]# kubectl describe nodes|grep Taints
  3. Taints:             node-role.kubernetes.io/master:NoSchedule
  4. Taints:             <none>
  5. Taints:             <none>
  6. Taints:             <none>
  8. # node-0001 设置污点策略 PreferNoSchedule
  9. [root@master ~]# kubectl taint node node-0001 k1=v1:PreferNoSchedule
  10. node/node-0001 tainted
  11. # node-0002 设置污点策略 NoSchedule
  12. [root@master ~]# kubectl taint node node-0002 k2=v2:NoSchedule
  13. node/node-0002 tainted
  15. [root@master ~]# kubectl describe nodes |grep Taints
  16. Taints:             node-role.kubernetes.io/master:NoSchedule
  17. Taints:             k1=v1:PreferNoSchedule
  18. Taints:             k2=v2:NoSchedule
  19. Taints:             <none>

验证污点策略

  1. # 优先使用没有污点的节点
  2. [root@master ~]# sed "s,myphp,php1," myphp.yaml |kubectl apply -f -
  3. pod/php1 created
  4. [root@master ~]# sed "s,myphp,php2," myphp.yaml |kubectl apply -f -
  5. pod/php2 created
  6. [root@master ~]# kubectl get pods -o wide
  7. NAME   READY   STATUS    RESTARTS   AGE   IP            NODE
  8. php1   1/1     Running   0          13s   10.244.3.43   node-0003
  9. php2   1/1     Running   0          5s    10.244.3.44   node-0003
  11. # 最后使用 PreferNoSchedule 节点
  12. [root@master ~]# sed 's,myphp,php3,' myphp.yaml |kubectl apply -f -
  13. pod/php3 created
  14. [root@master ~]# sed 's,myphp,php4,' myphp.yaml |kubectl apply -f -
  15. pod/php4 created
  16. [root@master ~]# kubectl get pods -o wide
  17. NAME   READY   STATUS    RESTARTS   AGE     IP            NODE
  18. php1   1/1     Running   0          3m16s   10.244.3.43   node-0003
  19. php2   1/1     Running   0          3m8s    10.244.3.44   node-0003
  20. php3   1/1     Running   0          113s    10.244.1.8    node-0001
  21. php4   1/1     Running   0          9s      10.244.1.9    node-0001
  23. # 不会使用 NoSchedule 节点
  24. [root@master ~]# sed 's,myphp,php5,' myphp.yaml |kubectl apply -f -
  25. pod/php5 created
  26. [root@master ~]# kubectl get pods -o wide
  27. NAME   READY   STATUS    RESTARTS   AGE     IP            NODE
  28. php1   1/1     Running   0          3m16s   10.244.3.43   node-0003
  29. php2   1/1     Running   0          3m8s    10.244.3.44   node-0003
  30. php3   1/1     Running   0          113s    10.244.1.8    node-0001
  31. php4   1/1     Running   0          9s      10.244.1.9    node-0001
  32. php5   0/1     Pending   0          5s      <none>        <none>

验证驱逐策略

  1. [root@master ~]# kubectl taint node node-0003 k3=v3:NoExecute
  2. node/node-0003 tainted
  3. [root@master ~]# kubectl describe nodes |grep Taints
  4. Taints:             node-role.kubernetes.io/master:NoSchedule
  5. Taints:             k1=v1:PreferNoSchedule
  6. Taints:             k2=v2:NoSchedule
  7. Taints:             k3=v3:NoExecute
  8. [root@master ~]# kubectl get pods -o wide
  9. NAME   READY   STATUS    RESTARTS   AGE     IP           NODE
  10. php3   1/1     Running   0          4m19s   10.244.1.8   node-0001
  11. php4   1/1     Running   0          2m35s   10.244.1.9   node-0001
  12. php5   0/1     Pending   0          2m31s   <none>       <none>

清理配置

  1. [root@master ~]# kubectl delete pod php{3..5}
  2. pod "php3" deleted
  3. pod "php4" deleted
  4. pod "php5" deleted
  5. [root@master ~]# kubectl taint node node-0001 k1=v1:PreferNoSchedule-
  6. node/node-0001 untainted
  7. [root@master ~]# kubectl taint node node-0002 k2=v2:NoSchedule-
  8. node/node-0002 untainted
  9. [root@master ~]# kubectl taint node node-0003 k3=v3:NoExecute-
  10. node/node-0003 untainted
  11. [root@master ~]# kubectl describe nodes |grep Taints
  12. Taints:             node-role.kubernetes.io/master:NoSchedule
  13. Taints:             <none>
  14. Taints:             <none>
  15. Taints:             <none>

容忍策略

一般根据标签去做,所以必须绑定标签

容忍策略是什么,刚好与污点相反,某些时候我们就是要在有污点的节点上运行Pod,这种无视污点标签的调度方式称为容忍

为node设置污点

  1. # 节点 node-0001 设置污点标签 k=v1:NoSchedule
  2. [root@master ~]# kubectl taint node node-0001 k=v1:NoSchedule
  3. node/node-0001 tainted
  5. # 节点 node-0002 设置污点标签 k=v2:NoSchedule
  6. [root@master ~]# kubectl taint node node-0002 k=v2:NoSchedule
  7. node/node-0002 tainted
  9. # 节点 node-0003 设置污点标签 k=v1:NoExecute
  10. [root@master ~]# kubectl taint node node-0003 k=v1:NoExecute
  11. node/node-0003 tainted
  13. [root@master ~]# kubectl describe nodes |grep Taints
  14. Taints:             node-role.kubernetes.io/master:NoSchedule
  15. Taints:             k=v1:NoSchedule
  16. Taints:             k=v2:NoSchedule
  17. Taints:             k=v1:NoExecute

精确匹配(Equal)

精确匹配策略

  1. # 容忍 k=v1:NoSchedule 污点
  2. [root@master ~]# vim myphp.yaml
  3. ---
  4. kind: Pod
  5. apiVersion: v1
  6. metadata:
  7.   name: myphp
  8. spec:
  9.   tolerations:
  10.   - operator: "Equal"      # 完全匹配键值对
  11.     key: "k"               # 键
  12.     value: "v1"            # 值
  13.     effect: "NoSchedule"   # 污点标签
  14.   containers:
  15.   - name: php
  16.     image: myos:phpfpm
  17.     resources:
  18.       requests:
  19.         cpu: 800m
  21. [root@master ~]# for i in php{1..3};do sed "s,myphp,${i}," myphp.yaml ;done|kubectl apply -f -
  22. pod/php1 created
  23. pod/php2 created
  24. pod/php3 created
  25. [root@master ~]# kubectl get pods -o wide
  26. NAME   READY   STATUS    RESTARTS   AGE   IP            NODE
  27. php1   1/1     Running   0          6s    10.244.1.10   node-0001
  28. php2   1/1     Running   0          6s    10.244.1.11   node-0001
  29. php3   1/1     Pending   0          6s    <none>        <none>
  30. [root@master ~]# kubectl delete pod php{1..3}
  31. pod "php1" deleted
  32. pod "php2" deleted
  33. pod "php3" deleted

模糊匹配(Exists)

模糊匹配策略

  1. # 容忍 k=*:NoSchedule 污点
  2. [root@master ~]# vim myphp.yaml
  3. ---
  4. kind: Pod
  5. apiVersion: v1
  6. metadata:
  7.   name: myphp
  8. spec:
  9.   tolerations:
  10.   - operator: "Exists"     # 部分匹配,存在即可
  11.     key: "k"               # 键
  12.     effect: "NoSchedule"   # 污点标签
  13.   containers:
  14.   - name: php
  15.     image: myos:phpfpm
  16.     resources:
  17.       requests:
  18.         cpu: 800m
  20. [root@master ~]# for i in php{1..3};do sed "s,myphp,${i}," myphp.yaml ;done|kubectl apply -f -
  21. pod/php1 created
  22. pod/php2 created
  23. pod/php3 created
  24. [root@master ~]# kubectl get pods -o wide
  25. NAME   READY   STATUS    RESTARTS   AGE   IP            NODE
  26. php1   1/1     Running   0          6s    10.244.1.12   node-0001
  27. php2   1/1     Running   0          6s    10.244.2.21   node-0002
  28. php3   1/1     Running   0          6s    10.244.2.22   node-0002
  29. [root@master ~]# kubectl delete pod php{1..3}
  30. pod "php1" deleted
  31. pod "php2" deleted
  32. pod "php3" deleted

所有污点标签

  1. # 容忍所有 node 上的污点
  2. [root@master ~]# vim myphp.yaml 
  3. ---
  4. kind: Pod
  5. apiVersion: v1
  6. metadata:
  7.   name: myphp
  8. spec:
  9.   tolerations:
  10.   - operator: "Exists"     # 模糊匹配
  11.     key: "k"               # 键
  12.     effect:                # 没有设置污点标签代表所有
  13.   containers:
  14.   - name: php
  15.     image: myos:phpfpm
  16.     resources:
  17.       requests:
  18.         cpu: 800m
  20. [root@master ~]# for i in php{1..3};do sed "s,myphp,${i}," myphp.yaml ;done|kubectl apply -f -
  21. pod/php1 created
  22. pod/php2 created
  23. pod/php3 created
  24. [root@master ~]# kubectl get pods -o wide
  25. NAME   READY   STATUS    RESTARTS   AGE   IP            NODE
  26. php1   1/1     Running   0          36s   10.244.1.15   node-0001
  27. php2   1/1     Running   0          36s   10.244.2.16   node-0002
  28. php3   1/1     Running   0          36s   10.244.3.18   node-0003
  29. [root@master ~]# kubectl delete pod php{1..3}
  30. pod "php1" deleted
  31. pod "php2" deleted
  32. pod "php3" deleted

抢占与优先级

优先级表示一个Pod相对于其他Pod的重要性

优先级可以保证重要的Pod被调度运行

当资源比较紧张才用优先级

如何使用优先级和抢占

配置优先级类PriorityClass

创建Pod时为其设置对应的优先级

优先级概述

PriorityClass是一个全局资源对象,定义了从优先级类名称到优先级整数值的映射。优先级在value字段中指定,可以设置小于10亿的整数值,值越大,优先级越高。

PriorityClass还有两个可选字段:

  1.     -globalDefault用于设置默认优先级状态,如果没有任何优先级设置Pod的优先级为零
  3.     -description用来配置描述性信息,告诉用户优先级的用途

优先级概述

优先级策略:

  1.     非抢占优先(插队):在调度阶段优先进行调度分配,一旦容器调度完成就不可抢占,资源不足时,只能等待,
  3.     抢占优先(杀死):强制调度一个pod,如果资源不足无法被调度,调度程序会抢占(删除)较低优先级的Pod的资源,来保证高优先级Pod的运行

非抢占优先级

preemptionPolicy: Never #非抢占
value: 500 #值
description: non-preemptive #描述

  1. # 定义优先级(队列优先)
  2. [root@master ~]# vim mypriority.yaml
  3. ---
  4. kind: PriorityClass
  5. apiVersion: scheduling.k8s.io/v1
  6. metadata:
  7.   name: high-non
  8. globalDefault: false
  9. preemptionPolicy: Never
  10. value: 1000
  11. description: non-preemptive
  13. ---
  14. kind: PriorityClass
  15. apiVersion: scheduling.k8s.io/v1
  16. metadata:
  17.   name: low-non
  18. globalDefault: false
  19. preemptionPolicy: Never
  20. value: 500
  21. description: non-preemptive
  23. [root@master ~]# kubectl apply -f mypriority.yaml 
  24. priorityclass.scheduling.k8s.io/high-non created
  25. priorityclass.scheduling.k8s.io/low-non created
  26. [root@master ~]# kubectl get priorityclasses.scheduling.k8s.io 
  27. NAME                      VALUE        GLOBAL-DEFAULT   AGE
  28. high-non                  1000         false            12s
  29. low-non                   500          false            12s
  30. system-cluster-critical   2000000000   false            45h
  31. system-node-critical      2000001000   false            45h

pod无,中,高优先级配置

  1. # 无优先级的 Pod
  2. [root@master ~]# cat php1.yaml 
  3. ---
  4. kind: Pod
  5. apiVersion: v1
  6. metadata:
  7.   name: php1
  8. spec:
  9.   nodeSelector:
  10.     kubernetes.io/hostname: node-0002
  11.   containers:
  12.   - name: php
  13.     image: myos:phpfpm
  14.     resources:
  15.       requests:
  16.         cpu: "1500m"
  18. # 低优先级 Pod
  19. [root@master ~]# cat php2.yaml 
  20. ---
  21. kind: Pod
  22. apiVersion: v1
  23. metadata:
  24.   name: php2
  25. spec:
  26.   nodeSelector:
  27.     kubernetes.io/hostname: node-0002
  28.   priorityClassName: low-non      # 优先级名称
  29.   containers:
  30.   - name: php
  31.     image: myos:phpfpm
  32.     resources:
  33.       requests:
  34.         cpu: "1500m"
  36. # 高优先级 Pod
  37. [root@master ~]# cat php3.yaml 
  38. ---
  39. kind: Pod
  40. apiVersion: v1
  41. metadata:
  42.   name: php3
  43. spec:
  44.   nodeSelector:
  45.     kubernetes.io/hostname: node-0002
  46.   priorityClassName: high-non     # 优先级名称
  47.   containers:
  48.   - name: php
  49.     image: myos:phpfpm
  50.     resources:
  51.       requests:
  52.         cpu: "1500m"

验证非抢占优先

  1. [root@master ~]# kubectl apply -f php1.yaml 
  2. pod/php1 created
  3. [root@master ~]# kubectl apply -f php2.yaml 
  4. pod/php2 created
  5. [root@master ~]# kubectl apply -f php3.yaml 
  6. pod/php3 created
  7. [root@master ~]# kubectl get pods
  8. NAME   READY   STATUS    RESTARTS   AGE
  9. php1   1/1     Running   0          9s
  10. php2   0/1     Pending   0          6s
  11. php3   0/1     Pending   0          4s
  12. [root@master ~]# kubectl delete pod php1
  13. pod "php1" deleted
  14. [root@master ~]# kubectl get pods
  15. NAME   READY   STATUS    RESTARTS   AGE
  16. php2   0/1     Pending   0          20s
  17. php3   1/1     Running   0          18s
  19. # 清理实验 Pod
  20. [root@master ~]# kubectl delete pod php2 php3
  21. pod "php2" deleted
  22. pod "php3" deleted

抢占策略

  1. [root@master ~]# vim mypriority.yaml
  2. ---
  3. kind: PriorityClass
  4. apiVersion: scheduling.k8s.io/v1
  5. metadata:
  6.   name: high
  7. globalDefault: false
  8. preemptionPolicy: PreemptLowerPriority
  9. value: 1000
  10. description: non-preemptive
  12. ---
  13. kind: PriorityClass
  14. apiVersion: scheduling.k8s.io/v1
  15. metadata:
  16.   name: low
  17. globalDefault: false
  18. preemptionPolicy: PreemptLowerPriority
  19. value: 500
  20. description: non-preemptive
  22. [root@master ~]# kubectl apply -f mypriority.yaml 
  23. priorityclass.scheduling.k8s.io/high created
  24. priorityclass.scheduling.k8s.io/low created
  25. [root@master ~]# kubectl get priorityclasses.scheduling.k8s.io 
  26. NAME                      VALUE        GLOBAL-DEFAULT   AGE
  27. high                      1000         false            12s
  28. low                       500          false            12s
  29. system-cluster-critical   2000000000   false            45h
  30. system-node-critical      2000001000   false            45h

验证抢占策略

  1. # 默认优先级 Pod
  2. [root@master ~]# kubectl apply -f php1.yaml 
  3. pod/php1 created
  4. [root@master ~]# kubectl get pods
  5. NAME   READY   STATUS    RESTARTS   AGE
  6. php1   1/1     Running   0          6s
  8. # 高优先级 Pod
  9. [root@master ~]# sed 's,-non,,' php3.yaml |kubectl apply -f - 
  10. pod/php3 created
  11. [root@master ~]# kubectl get pods
  12. NAME   READY   STATUS    RESTARTS   AGE
  13. php3   1/1     Running   0          9s
  15. # 低优先级 Pod
  16. [root@master ~]# sed 's,-non,,' php2.yaml |kubectl apply -f - 
  17. pod/php2 created
  18. [root@master ~]# kubectl get pods
  19. NAME   READY   STATUS    RESTARTS   AGE
  20. php2   0/1     Pending   0          3s
  21. php3   1/1     Running   0          9s
  23. # 清理实验 Pod
  24. [root@master ~]# kubectl delete pod php2 php3
  25. pod "php2" deleted
  26. pod "php3" deleted
  27. [root@master ~]# kubectl delete -f mypriority.yaml 
  28. priorityclass.scheduling.k8s.io "high-non" deleted
  29. priorityclass.scheduling.k8s.io "low-non" deleted
  30. priorityclass.scheduling.k8s.io "high" deleted
  31. priorityclass.scheduling.k8s.io "low" deleted

总结:有非抢占只是插队看优先级查,非抢占只是把当前运行的杀了,然后看优先级,低了你就想杀也杀不了 pod安全

特权容器

容器是通过名称空间技术隔离的,但是有时候我们需要突破隔离限制,获取更高的权限,这类容器称为特权容器

运行特权容器有风险

安全性

Pod安全策略是集群级别的资源,它能够控制Pod运行的行为,以及它具有访问什么的能力。

使用Pod安全策略服务器版本必须不低于版本v1,22

确保PodSecurity

apiServer是系统核心服务,如果出现故障,K8s将无法管理和维护,在修改之前备份资源文件

Pod安全策略

privileged 不受限制

baseline 弱限制性,禁止已知的策略提升权限

restricted 非常严格的限制性策略,遵循当前的保护Pod的最佳实践

Pod准入控制标签(MODE)

enforce 策略违例会导致Pod被拒绝

audit 策略违例会触发审计日志,但是Pod仍可以被接受

warn 策略违例会触发用户可见的警告信息,但是Pod仍然是被接受的

特权容器

更改容器主机名 和 /etc/hosts 文件

  1. [root@master ~]# vim root.yaml
  2. ---
  3. kind: Pod
  4. apiVersion: v1
  5. metadata:
  6.   name: root
  7. spec:
  8.   terminationGracePeriodSeconds: 0
  9.   restartPolicy: Always
  10.   hostname: myhost         # 特权,修改主机名
  11.   hostAliases:             # 修改 /etc/hosts
  12.   - ip: 192.168.1.30       # IP 地址
  13.     hostnames:             # 名称键值对
  14.     - registry             # 主机名
  15.   containers:
  16.   - name: linux
  17.     image: myos:v2009
  18.     imagePullPolicy: IfNotPresent
  19.     command: ["/bin/bash"]
  20.     args:
  21.     - -c
  22.     - |
  23.       while true;do
  24.             echo "Hello World."
  25.             sleep 5
  26.       done
  28. [root@master ~]# kubectl apply -f root.yaml 
  29. pod/root created
  30. [root@master ~]# kubectl exec -it root -- /bin/bash
  31. [root@myhost html]# hostname
  32. myhost
  33. [root@myhost html]# cat /etc/hosts
  34. ... ...
  35. # Entries added by HostAliases.
  36. 192.168.1.30    registry
  38. [root@master ~]# kubectl delete pod root 
  39. pod "root" deleted

root特权容器

  1. [root@master ~]# vim root.yaml
  2. ---
  3. kind: Pod
  4. apiVersion: v1
  5. metadata:
  6.   name: root
  7. spec:
  8.   terminationGracePeriodSeconds: 0
  9.   restartPolicy: Always
  10.   hostPID: true            # 特权,共享系统进程
  11.   hostNetwork: true        # 特权,共享主机网络
  12.   containers:
  13.   - name: linux
  14.     image: myos:v2009
  15.     imagePullPolicy: IfNotPresent
  16.     securityContext:       # 安全上下文值
  17.       privileged: true     # root特权容器
  18.     command: ["/bin/bash"]
  19.     args:
  20.     - -c
  21.     - |
  22.       while true;do
  23.             echo "Hello World."
  24.             sleep 5
  25.       done
  27. [root@master ~]# kubectl get pods
  28. NAME   READY   STATUS    RESTARTS   AGE
  29. root   1/1     Running   0          26s
  30. [root@master ~]# kubectl exec -it root -- /bin/bash
  31. [root@node-0001 /]# 
  33. # 系统进程特权
  34. [root@node-0001 /]# pstree -p
  35. systemd(1)-+-NetworkManager(510)-+-dhclient(548)
  36.            |                     |-{NetworkManager}(522)
  37.            |                     `-{NetworkManager}(524)
  38.            |-agetty(851)
  39.            |-chronyd(502)
  40.            |-containerd(531)-+-{containerd}(555)
  41.            ... ...
  43. # 网络特权
  44. [root@node-0001 /]# ifconfig eth0
  45. eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
  46.         inet 192.168.1.51  netmask 255.255.255.0  broadcast 192.168.1.255
  47.         ether fa:16:3e:70:c8:fa  txqueuelen 1000  (Ethernet)
  48.         ... ...
  50. # root用户特权
  51. [root@node-0001 /]# mkdir /sysroot
  52. [root@node-0001 /]# mount /dev/sda1 /sysroot
  53. [root@node-0001 /]# chroot /sysroot
  54. sh-4.2# mount -t proc proc /proc
  55. sh-4.2# : 此处已经是 node 节点上的 root 用户了
  57. # 删除特权容器
  58. [root@master ~]# kubectl delete pod root 
  59. pod "root" deleted

Pod安全策略

  1. [root@master ~]# sed '36i\    - --feature-gates=PodSecurity=true' -i /etc/kubernetes/manifests/kube-apiserver.yaml
  2. [root@master ~]# systemctl restart kubelet
  4. # 生产环境设置严格的准入控制
  5. [root@master ~]# kubectl create namespace myprod
  6. namespace/myprod created
  7. [root@master ~]# kubectl label namespaces myprod pod-security.kubernetes.io/enforce=restricted
  8. namespace/myprod labeled
  10. # 测试环境测试警告提示
  11. [root@master ~]# kubectl create namespace mytest
  12. namespace/mytest created
  13. [root@master ~]# kubectl label namespaces mytest pod-security.kubernetes.io/warn=baseline
  14. namespace/mytest labeled
  16. # 创建特权容器
  17. [root@master ~]# kubectl -n myprod apply -f root.yaml 
  18. Error from server (Failure): error when creating "root.yaml": host namespaces (hostNetwork=true, hostPID=true), privileged (container "linux" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "linux" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "linux" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "linux" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "linux" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  19. [root@master ~]# 
  20. [root@master ~]# kubectl -n myprod get pods
  21. No resources found in myprod namespace.
  23. [root@master ~]# kubectl -n mytest apply -f root.yaml                                    
  24. Warning: would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true, hostPID=true), privileged (container "linux" must not set securityContext.privileged=true)
  25. pod/root created
  26. [root@master ~]# 
  27. [root@master ~]# kubectl -n mytest get pods               
  28. NAME   READY   STATUS    RESTARTS   AGE
  29. root   1/1     Running   0          7s
  30. [root@master ~]#

符合安全规则的Pod

  1. [root@master ~]# vim nonroot.yaml
  2. ---
  3. kind: Pod
  4. apiVersion: v1
  5. metadata:
  6.   name: nonroot
  7. spec:
  8.   terminationGracePeriodSeconds: 0
  9.   restartPolicy: Always
  10.   containers:
  11.   - name: linux
  12.     image: myos:v2009
  13.     imagePullPolicy: IfNotPresent
  14.     securityContext:
  15.       allowPrivilegeEscalation: false
  16.       runAsNonRoot: true
  17.       runAsUser: 99
  18.       seccompProfile:
  19.         type: "RuntimeDefault"
  20.       capabilities:
  21.         drop: ["ALL"]
  22.     command: ["/bin/bash"]
  23.     args:
  24.     - -c
  25.     - |
  26.       while true;do
  27.             echo "Hello World."
  28.             sleep 30
  29.       done
  31. [root@master ~]# kubectl -n myprod apply -f nonroot.yaml 
  32. pod/nonroot created
  33. [root@master ~]# kubectl -n myprod get pods
  34. NAME      READY   STATUS    RESTARTS   AGE
  35. nonroot   1/1     Running   0          6s
  36. [root@master ~]# kubectl -n myprod exec -it nonroot -- id
  37. uid=99(nobody) gid=99(nobody) groups=99(nobody)
标签: kubernetes 容器 云原生
本文转载自: https://blog.csdn.net/weixin_55000003/article/details/130373981
版权归原作者 云海0478 所有, 如有侵权,请联系我们删除。
登录后发布评论

“Kubernetes 污点、容忍策略、优先级与抢占、Pod安全”的评论:

还没有评论
关于作者
...
overfit同步小助手
文章同步
相关阅读

网络安全法-网络运行安全

使用selenium/drissionpage时如何阻止chrome自动跳转http到https

docker desktop 里部署的Open WebUI 管理员密码忘记了的处理方法

在ubuntu20.04中搭建onsite比赛运行环境

利用开源的低代码表单设计器FcDesigner高效管理和渲染复杂表单结构

Kafka学习笔记

【前端】浏览器输入url到页面呈现发生了什么?