Task weight: 2%
Use context: kubectl config use-context workload-prod
The Deployment immutable-deployment in Namespace team-purple should run immutable, it's created from file /opt/course/19/immutable-deployment.yaml. Even after a successful break-in, it shouldn't be possible for an attacker to modify the filesystem of the running container.
Modify the Deployment in a way that no processes inside the container can modify the local filesystem, only /tmp directory should be writeable. Don't modify the Docker image.
Save the updated YAML under /opt/course/19/immutable-deployment-new.yaml and update the running Deployment.
译文
任务权重:2
使用环境: kubectl config use-context workload-prod
名称空间 team-purple 中的部署 immutable-deployment 应该是不可变的,它是由 /opt/course/19/immutable-deployment.yaml 文件创建的。即使在成功入侵后,攻击者也不可能修改运行中的容器的文件系统。
修改部署的方式,使容器内的任何进程都不能修改本地文件系统,只有 /tmp 目录是可写的。不要修改Docker镜像。
将更新后的YAML保存在 /opt/course/19/immutable-deployment-new.yaml 下,并更新运行中的Deployment。
解答
检查deploy
k -n team-purple edit deploy -o yaml
# kubectl -n team-purple edit deploy -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: team-purple
name: immutable-deployment
labels:
app: immutable-deployment
...
spec:
replicas: 1
selector:
matchLabels:
app: immutable-deployment
template:
metadata:
labels:
app: immutable-deployment
spec:
containers:
- image: busybox:1.32.0
command: ['sh', '-c', 'tail -f /dev/null']
imagePullPolicy: IfNotPresent
name: busybox
restartPolicy: Always
编辑静态配置文件
cp /opt/course/19/immutable-deployment.yaml /opt/course/19/immutable-deployment-new.yaml
vim /opt/course/19/immutable-deployment-new.yaml
# /opt/course/19/immutable-deployment-new.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: team-purple
name: immutable-deployment
labels:
app: immutable-deployment
spec:
replicas: 1
selector:
matchLabels:
app: immutable-deployment
template:
metadata:
labels:
app: immutable-deployment
spec:
containers:
- image: busybox:1.32.0
command: ['sh', '-c', 'tail -f /dev/null']
imagePullPolicy: IfNotPresent
name: busybox
securityContext: # add
readOnlyRootFilesystem: true # add
volumeMounts: # add
- mountPath: /tmp # add
name: temp-vol # add
volumes: # add
- name: temp-vol # add
emptyDir: {} # add
restartPolicy: Always
应用文件, 删除先前创建的deployment 并创建新的deployment
k delete -f /opt/course/19/immutable-deployment-new.yaml
k create -f /opt/course/19/immutable-deployment-new.yaml
验证