Kubernetes中的Security Context, Resource requirement和Service Account

K8s中的Security Context上下文

k8s中的Security Context通常用于安全考虑,限制pod对host系统文件权限读取或者限制其对系统资源的使用。默认情况下,如果不使用Security Context,则pod默认会以root用户运行,在pod的从天儿中运行程序时,容易对某些对安全要求较高的系统造成损害。

详情参看官方: 

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
securityContext:
runAsUser: 100
runAsGroup: 1000
fsGroup: 205 containers: - image: nginx name: nginx resources: {}
volumeMounts:
- name: host-vol
mountPath: /etc/local dnsPolicy: ClusterFirst restartPolicy: Always
volumes:
- name: host-vol
hostPath:
path: /usr/shared/test status: {}

 

K8s中的Resource Requirement

Resource资源定义表明了pod在运行期间,占据host资源的请求与限制使用,通常对resources分为requests与limits。字如其面,对系统资源的请求与最大限制

详情参考官方

两种方式可以在pod创建resources

  • 命令行
kubectl run nginx --image=nginx --ports=80 --restart=Never --requests="cpu=250m,memory=256Mi" --limits="cpu=500m,memory=512Mi"
  • YAML文本
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 250m
        memory: 256Mi
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

  

  

K8s中的Resource Requirement

Service account应用于在pod的容器中运行的进程

详情参看官方:

同样,有命令行和YAMl文件来定义service account

  • 命令行
kubectl create sa nginx

kubectl run nginx --image=nginx --serviceaccount=nginx --ports=80 --restart=Never
  • YAML文件
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  serviceAccountName: nginx
  containers:
  - image: nginx
    name: nginx
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

  

Kubernetes中的Security Context, Resource requirement和Service Account

上一篇:C++ for循环效率


下一篇:java读取properties