英文:
How to replace `securityContext: privileged: true` in Kubernetes for DinD (docker in docker)
问题
如果我们想要使用`docker`来构建OCI容器镜像,并且希望使用以下Pod设置:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: dind
spec:
containers:
- name: build
image: docker:23.0.1-cli
command:
- cat
tty: true
resources:
requests:
cpu: 10m
memory: 256Mi
env:
- name: DOCKER_HOST
value: tcp://localhost:2375
- name: dind-daemon
image: docker:23.0.1-dind-rootless
securityContext:
privileged: true
resources:
requests:
cpu: 20m
memory: 512Mi
volumeMounts:
- name: docker-graph-storage
mountPath: /var/lib/docker
volumes:
- name: docker-graph-storage
emptyDir: {}
我想知道在kubernetes >1.25
中替代
securityContext:
privileged: true
的方法是什么,因为在 kubernetes >1.25
中已被弃用,原因参考:https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
以及是否仍然可以执行与上述相同的操作以及如何执行?
<details>
<summary>英文:</summary>
If we want to to build OCI container images with `docker`
and e.g. want to the following pod setup:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: dind
spec:
containers:
- name: build
image: docker:23.0.1-cli
command:
- cat
tty: true
resources:
requests:
cpu: 10m
memory: 256Mi
env:
- name: DOCKER_HOST
value: tcp://localhost:2375
- name: dind-daemon
image: docker:23.0.1-dind-rootless
securityContext:
privileged: true
resources:
requests:
cpu: 20m
memory: 512Mi
volumeMounts:
- name: docker-graph-storage
mountPath: /var/lib/docker
volumes:
- name: docker-graph-storage
emptyDir: {}
I am wondering what the replacement is for
securityContext:
privileged: true
since that is deprecated in kubernetes >1.25
because: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
and if its still possible to do the same as above and how?
答案1
得分: 2
根据 Kubernetes 官方 API 参考文档 V 1.26 版本,它们已更改了安全上下文的字段。
不再使用 privileged: true
,而是在最新版本中使用了其他参数。它们是:
runAsUser: 在最新版本中,您可以通过使用用户的 UID 来以任何用户身份运行,如果您的镜像具有该用户。通常来说,root 用户的 UID 是 0,因此您可以在创建部署的 yaml 文件中提及 root 用户的 UID。
allowPrivilegeEscalation: 如果将 allowPrivilegeEscalation 设置为 true,则在需要时将特权升级到 root 用户。
runAsNonRoot: 如果将 runAsNonRoot
设置为 true,将执行验证,Kubernetes 将阻止 Pod 或容器启动,否则,如果未设置或设置为 false,它将不会阻止以 root 执行,前提是您的镜像已构建为以 root 运行。
如果您想持续以 root 执行作业或任务,可以同时使用 runAsUser
和 runAsNonRoot
,而 allowPrivilegeEscalation
可用于临时提升权限。以下是最新版本的 yaml 示例文件,可将其用作参考:
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox:1.28
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
注意:此 yaml 代码和上述说明源自官方 Kubernetes 文档。
[1]https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[2]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core
英文:
As per kubernetes official API reference documentation for V 1.26 they have changed the fields for security context.
Instead of using privileged: true
they got other parameters in the latest versions. That are
runAsUser: You can run as any user in the latest versions by using the UID of the user if your image has that user. In general the UID for root users is 0, so you can mention the UID of root user in the yaml file while creating the deployment.
allowPrivilegeEscalation: If allowPrivilegeEscalation is set to true privileges will be escalated to the root user when required.
runAsNonRoot: If runAsNonRoot
is set to true a validation will be performed and kubernetes will stop the pod or container from starting else if it’s unset or set to false it won’t prevent root execution, provided your image is built to run as root.
Both runAsUser
and runAsNonRoot
can be used if you want to execute the job or task continuously as root whereas allowPrivilegeEscalation
can be used for temporarily escalating privileges. Below is the yaml example file for the latest version, use it as a reference
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox:1.28
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
Note: The yaml code and the above explanation is derived from official kubernetes documentation.
[1]https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[2]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论