K8s中的Security Context上下文
k8s中的Security Context通常用于安全考虑,限制pod对host系统文件权限读取或者限制其对系统资源的使用。默认情况下,如果不使用Security Context,则pod默认会以root用户运行,在pod的从天儿中运行程序时,容易对某些对安全要求较高的系统造成损害。
详情参看官方:
apiVersion: v1 kind: Pod Metadata: creationTimestamp: null labels: run: Nginx name: Nginx spec:
securityContext:
runAsUser: 100
runAsGroup: 1000
fsGroup: 205 containers: - image: Nginx name: Nginx resources: {}
volumeMounts:
- name: host-vol
mountPath: /etc/local dnsPolicy: ClusterFirst restartPolicy: Always
volumes:
- name: host-vol
hostPath:
path: /usr/shared/test status: {}
K8s中的Resource Requirement
Resource资源定义表明了pod在运行期间,占据host资源的请求与限制使用,通常对resources分为requests与limits。字如其面,对系统资源的请求与最大限制
详情参考官方
两种方式可以在pod创建resources
- 命令行
kubectl run Nginx --image=Nginx --ports=80 --restart=Never --requests="cpu=250m,memory=256Mi" --limits="cpu=500m,memory=512Mi"
- YAML文本
apiVersion: v1 kind: Pod Metadata: creationTimestamp: null labels: run: Nginx name: Nginx spec: containers: - image: Nginx name: Nginx resources: limits: cpu: 500m memory: 512Mi requests: cpu: 250m memory: 256Mi dnsPolicy: ClusterFirst restartPolicy: Never status: {}
K8s中的Resource Requirement
Service account应用于在pod的容器中运行的进程
详情参看官方:
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
同样,有命令行和YAMl文件来定义service account
- 命令行
kubectl create sa Nginx kubectl run Nginx --image=Nginx --serviceaccount=Nginx --ports=80 --restart=Never
- YAML文件
apiVersion: v1 kind: Pod Metadata: creationTimestamp: null labels: run: Nginx name: Nginx spec: serviceAccountName: Nginx containers: - image: Nginx name: Nginx dnsPolicy: ClusterFirst restartPolicy: Never status: {}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
