Task weight: 8%
Use context: kubectl config use-context workload-prod
There is Deployment container-host-hacker in Namespace team-red which mounts /run/containerd as a hostPath volume on the Node where it's running. This means that the Pod can access various data about other containers running on the same Node.
To prevent this configure Namespace team-red to enforce the baseline Pod Security Standard. Once completed, delete the Pod of the Deployment mentioned above.
Check the ReplicaSet events and write the event/log lines containing the reason why the Pod isn't recreated into /opt/course/4/logs.
译文
任务权重:8%。
使用环境: kubectl config use-context workload-prod
名称空间 team-red 中有一个 deployment container-host-hacker ,它将 /run/containerd 挂载为运行中的 Node 上的 hostPath 卷。这意味着该 Pod 可以访问在同一节点上运行的其他容器的各种数据。
为了防止这种情况,配置 Namespace team-red 来执行基线 Pod 安全标准。完成后,删除上面提到的部署的 Pod 。
检查 ReplicaSet 事件,并将包含 Pod 没有重新创建的原因 event/log 写入 /opt/course/4/logs 中。
解答
命名空间安全标准通过标签发挥作用,直接编辑namespace
k edit ns team-redapiVersion: v1
kind: Namespace
metadata:
labels:
kubernetes.io/metadata.name: team-red
pod-security.kubernetes.io/enforce: baseline # 添加
name: team-red现在删除pod,deployment 会自动创建pod,但是重新创建会失败,检查原因
k -n team-red get pod
k -n team-red delete pod container-host-hacker-dbf989777-wm8fc
k -n team-red get pod
k -n team-red get rs
k -n team-red describe rs container-host-hacker-dbf989777
把日志写入文件 /opt/course/4/logs
# /opt/course/4/logs
Warning FailedCreate 2m2s (x9 over 2m40s) replicaset-controller (combined from similar events): Error creating: pods "container-host-hacker-dbf989777-kjfpn" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "containerdata")