CKA 예제 리마인더 - 26. Security Contexts

sleep 명령어를 실행하는 pod의 유저는 누구인가요?

ps aux

5657 root      0:00 sleep 4800

or

kubectl exec ubuntu-sleeper -- whoami



sleep 명령을 실행하는 user의 ID가 1010이 되도록 파드를 수정하세요

Pod Name: ubuntu-sleeper

Image Name: ubuntu

SecurityContext: User 1010



kubectl get po ubuntu-sleeper -o yaml > sleeper.yaml

spec 아래에 설정 추가

  securityContext:
    runAsUser: 1010

kubectl apply -f sleeper.yaml --force

ps aux or kubectl exec ubuntu-sleeper -- whoami 로 확인




multi-pod.yaml 이 제공됩니다. web 컨테이너는 어떤 유저로 시작되나요?

apiVersion: v1
kind: Pod
metadata:
  name: multi-pod
spec:
  securityContext:
    runAsUser: 1001
  containers:
  -  image: ubuntu
     name: web
     command: ["sleep", "5000"]
     securityContext:
      runAsUser: 1002

  -  image: ubuntu
     name: sidecar
     command: ["sleep", "5000"]

Pod 레벨에 지정된 유저는 1001, sidecar 컨테이너는 1001 유저로 실행됨

컨테이너 레벨에 유저가 지정된 web container는 1002



ubuntu-sleeper 파드를 root 유저로 실행시키고 SYS_TIME capability를 정의하세요

Pod Name: ubuntu-sleeper

Image Name: ubuntu

SecurityContext: Capability SYS_TIME

Is run as a root user?



securityContext 아래에

      capabilities:
        add:
        - SYS_TIME

or

      capabilities:
        add: ["SYS_TIME"]

추가

  securityContext:
    runAsUser: 0
    capabilities:
      add:
      - SYS_TIME

runAsUser 를 root로 세팅할 경우 0으로 입력


apply 했더니 에러 발생

spec.securityContext.capabilities 필드를 알 수가 없댄다

찾아보니 securityContext.capabilities 는 파드 레벨이 아닌 컨테이너 레벨에 정의되어야한다고 함!!!!!!!!!!!

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

spec:
  containers:
  - name: ubuntu
    image: ubuntu
    imagePullPolicy: Always
    command:
    - sleep
    - "4800"
    securityContext:
      runAsUser: 0
      capabilities:
        add:
        - SYS_TIME

ps aux or kubectl exec ubuntu-sleeper -- whoami 로 확인



NET_ADMIN capabilites도 추가하세요

    securityContext:
      runAsUser: 0
      capabilities:
        add:
        - SYS_TIME
        - NET_ADMIN