How to replace `securityContext: privileged: true` in Kubernetes for DinD (docker in docker)

huangapple go评论65阅读模式
英文:

How to replace `securityContext: privileged: true` in Kubernetes for DinD (docker in docker)

问题

如果我们想要使用`docker`来构建OCI容器镜像,并且希望使用以下Pod设置:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: dind
spec:
  containers:
    - name: build
      image: docker:23.0.1-cli
      command:
        - cat
      tty: true
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375

    - name: dind-daemon
      image: docker:23.0.1-dind-rootless
      securityContext:
        privileged: true
      resources:
        requests:
          cpu: 20m
          memory: 512Mi
      volumeMounts:
        - name: docker-graph-storage
          mountPath: /var/lib/docker
  volumes:
    - name: docker-graph-storage
      emptyDir: {}

我想知道在kubernetes >1.25中替代

securityContext:
        privileged: true

的方法是什么,因为在 kubernetes >1.25 中已被弃用,原因参考:https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

以及是否仍然可以执行与上述相同的操作以及如何执行?


<details>
<summary>英文:</summary>

If we want to to build OCI container images with `docker`
and e.g. want to the following pod setup:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: dind
spec:
  containers:
    - name: build
      image: docker:23.0.1-cli
      command:
        - cat
      tty: true
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375

    - name: dind-daemon
      image: docker:23.0.1-dind-rootless
      securityContext:
        privileged: true
      resources:
        requests:
          cpu: 20m
          memory: 512Mi
      volumeMounts:
        - name: docker-graph-storage
          mountPath: /var/lib/docker
  volumes:
    - name: docker-graph-storage
      emptyDir: {}

I am wondering what the replacement is for

securityContext:
        privileged: true

since that is deprecated in kubernetes &gt;1.25 because: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

and if its still possible to do the same as above and how?

答案1

得分: 2

根据 Kubernetes 官方 API 参考文档 V 1.26 版本,它们已更改了安全上下文的字段。

不再使用 privileged: true,而是在最新版本中使用了其他参数。它们是:

runAsUser: 在最新版本中,您可以通过使用用户的 UID 来以任何用户身份运行,如果您的镜像具有该用户。通常来说,root 用户的 UID 是 0,因此您可以在创建部署的 yaml 文件中提及 root 用户的 UID。

allowPrivilegeEscalation: 如果将 allowPrivilegeEscalation 设置为 true,则在需要时将特权升级到 root 用户。

runAsNonRoot: 如果将 runAsNonRoot 设置为 true,将执行验证,Kubernetes 将阻止 Pod 或容器启动,否则,如果未设置或设置为 false,它将不会阻止以 root 执行,前提是您的镜像已构建为以 root 运行。

如果您想持续以 root 执行作业或任务,可以同时使用 runAsUserrunAsNonRoot,而 allowPrivilegeEscalation 可用于临时提升权限。以下是最新版本的 yaml 示例文件,可将其用作参考:

apiVersion: v1
kind: Pod
metadata:
 name: security-context-demo

spec:
 securityContext:
   runAsUser: 1000
   runAsGroup: 3000
   fsGroup: 2000

 volumes:
 - name: sec-ctx-vol
   emptyDir: {}

 containers:
 - name: sec-ctx-demo
   image: busybox:1.28
   command: [ "sh", "-c", "sleep 1h" ]

   volumeMounts:
   - name: sec-ctx-vol
     mountPath: /data/demo

   securityContext:
     allowPrivilegeEscalation: false

注意:此 yaml 代码和上述说明源自官方 Kubernetes 文档。

[1]https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[2]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core

英文:

As per kubernetes official API reference documentation for V 1.26 they have changed the fields for security context.

Instead of using privileged: true they got other parameters in the latest versions. That are

runAsUser: You can run as any user in the latest versions by using the UID of the user if your image has that user. In general the UID for root users is 0, so you can mention the UID of root user in the yaml file while creating the deployment.

allowPrivilegeEscalation: If allowPrivilegeEscalation is set to true privileges will be escalated to the root user when required.

runAsNonRoot: If runAsNonRoot is set to true a validation will be performed and kubernetes will stop the pod or container from starting else if it’s unset or set to false it won’t prevent root execution, provided your image is built to run as root.

Both runAsUser and runAsNonRoot can be used if you want to execute the job or task continuously as root whereas allowPrivilegeEscalation can be used for temporarily escalating privileges. Below is the yaml example file for the latest version, use it as a reference

apiVersion: v1
kind: Pod
metadata:
 name: security-context-demo

spec:
 securityContext:
   runAsUser: 1000
   runAsGroup: 3000
   fsGroup: 2000

 volumes:
 - name: sec-ctx-vol
   emptyDir: {}

 containers:
 - name: sec-ctx-demo
   image: busybox:1.28
   command: [ &quot;sh&quot;, &quot;-c&quot;, &quot;sleep 1h&quot; ]

   volumeMounts:
   - name: sec-ctx-vol
     mountPath: /data/demo

   securityContext:
     allowPrivilegeEscalation: false

Note: The yaml code and the above explanation is derived from official kubernetes documentation.

[1]https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[2]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core

huangapple
  • 本文由 发表于 2023年2月27日 16:06:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/75578035.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定