Versions Compared

Old Version 4

changes.mady.by.user Sansae

Saved on

compared with

New Version 5

changes.mady.by.user Sansae

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

https://v1-18.docs.kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/

Code Block
apiVersion: v1  
kind: Pod  
metadata:  
  name: hello-world  
spec:  
  containers:  
  # specification of the pod’s containers  
  # ...  
  securityContext:  
    readOnlyRootFilesystem: true  
    runAsNonRoot: true
Info

https://v1-18.docs.kubernetes.io/docs/tasks/configure-pod-container/security-context/

포드에 대한 보안 컨텍스트 설정

Code Block
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

포드에 대한 볼륨 권한 및 소유권 변경 정책 구성

Code Block
securityContext:
  runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  fsGroupChangePolicy: "OnRootMismatch"

컨테이너에 대한 보안 컨텍스트 설정

Code Block
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 2000
      allowPrivilegeEscalation: false

컨테이너에 대한 기능 설정

Code Block
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  containers:
  - name: sec-ctx-4
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

컨테이너에 SELinux 레이블 할당

Code Block
...
securityContext:
  seLinuxOptions:
    level: "s0:c123,c456"