K8s中的Security Context上下文
k8s中的Security Context通常用于安全考虑,限制pod对host系统文件权限读取或者限制其对系统资源的使用。默认情况下,如果不使用Security Context,则pod默认会以root用户运行,在pod的从天儿中运行程序时,容易对某些对安全要求较高的系统造成损害。
详情参看官方:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
securityContext:
runAsUser: 100
runAsGroup: 1000
fsGroup: 205
containers:
- image: nginx
name: nginx
resources: {}
volumeMounts:
- name: host-vol
mountPath: /etc/local
dnsPolicy: ClusterFirst
restartPolicy: Always
volumes:
- name: host-vol
hostPath:
path: /usr/shared/test
status: {}
K8s中的Resource Requirement
Resource资源定义表明了pod在运行期间,占据host资源的请求与限制使用,通常对resources分为requests与limits。字如其面,对系统资源的请求与最大限制
详情参考官方
两种方式可以在pod创建resources
- 命令行
kubectl run nginx --image=nginx --ports=80 --restart=Never --requests="cpu=250m,memory=256Mi" --limits="cpu=500m,memory=512Mi"
- YAML文本
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
K8s中的Resource Requirement
Service account应用于在pod的容器中运行的进程
详情参看官方:
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
同样,有命令行和YAMl文件来定义service account
- 命令行
kubectl create sa nginx kubectl run nginx --image=nginx --serviceaccount=nginx --ports=80 --restart=Never
- YAML文件
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
serviceAccountName: nginx
containers:
- image: nginx
name: nginx
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
Kubernetes中的Security Context, Resource requirement和Service Account