CKS备考13-Container安全上下文

Context

Container Security Context应在特定namespace中修改Deployment。

Task

按照如下要求修改 sec-ns 命名空间里的 Deployment secdep

• 用ID为 30000 的用户启动容器（设置用户ID为: 30000）
• 不允许进程获得超出其父进程的特权（禁止allowPrivilegeEscalation）
• 以只读方式加载容器的根文件系统（对根文件的只读权限）

解: kubernetes.io搜索security context 注意题目要求的是配置deployment的security context，而文档是指pod的配置

# 查看deployment
kubectl get deploy secdep -n sec-ns
# 修改deployment
kubectl edit deploy secdep -n sec-ns

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"secdep","namespace":"sec-ns"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"secdep"}},"template":{"metadata":{"labels":{"app":"secdep"}},"spec":{"containers":[{"command":["sh","-c","sleep 12h"],"image":"busybox:1.28","imagePullPolicy":"IfNotPresent","name":"sec-ctx-demo-1","volumeMounts":[{"mountPath":"/data/demo1","name":"sec-ctx-vol-1"}]},{"command":["sh","-c","sleep 12h"],"image":"busybox","imagePullPolicy":"IfNotPresent","name":"sec-ctx-demo-2","volumeMounts":[{"mountPath":"/data/demo2","name":"sec-ctx-vol-2"}]}],"volumes":[{"emptyDir":{},"name":"sec-ctx-vol-1"},{"emptyDir":{},"name":"sec-ctx-vol-2"}]}}}}
  creationTimestamp: "2024-02-17T15:05:05Z"
  generation: 1
  name: secdep
  namespace: sec-ns
  resourceVersion: "92921"
  uid: 7eb11b35-8839-420c-be22-619e3a3bc69d
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: secdep
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: secdep
    spec:
      containers:
      - command:
        - sh
        - -c
        - sleep 12h
        image: busybox:1.28
        imagePullPolicy: IfNotPresent
        name: sec-ctx-demo-1
        resources: {}
        securityContext: # 这里有两个容器，两个容器都需要加相关配置
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /data/demo1
          name: sec-ctx-vol-1
      - command:
        - sh
        - -c
        - sleep 12h
        image: busybox
        imagePullPolicy: IfNotPresent
        name: sec-ctx-demo-2
        resources: {}
        securityContext: # 这里有两个容器，两个容器都需要加相关配置
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /data/demo2
          name: sec-ctx-vol-2
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: 
        runAsUser: 30000 # 这里本来就有securityContext，去掉｛｝
      terminationGracePeriodSeconds: 30
      volumes:
      - emptyDir: {}
        name: sec-ctx-vol-1
      - emptyDir: {}
        name: sec-ctx-vol-2
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2024-02-17T15:05:05Z"
    lastUpdateTime: "2024-02-17T15:05:07Z"
    message: ReplicaSet "secdep-7988476f56" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  - lastTransitionTime: "2024-07-25T11:17:04Z"
    lastUpdateTime: "2024-07-25T11:17:04Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

# 查看pod和deploy状态
kubectl get pod,deploy -n sec-ns
# 查看pod和deploy配置
kubectl get pod,deploy -n sec-ns -o yaml