模拟题目:

设置配置环境:

[candidate@node-1] $ kubectl config use-context k8s

Task

修改运行在 namespace quetzal 名为 broker-deployment 的现有 Deployment 使其容器

  • 以用户 30000 运行
  • 禁止特权提升。

您可以在 /ckad/daring-moccasin/broker-deployment.yaml 找 到 broker-deployment 的清单文件

参考:

https://www.hao.kim/1104.html https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/security-context/

kubectl explain deployment.spec.template.spec.containers.securityContext

file file

解答:

切换环境

kubectl config use-context k8s

查看并编辑对应的deployment

kubectl -n quetzal get deployments.apps
kubectl -n quetzal edit deployments.apps broker-deployment

spec.template.spec.containers 下添加 securityContext

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
    kubectl.kubernetes.io/last-applied-configuration: |
  creationTimestamp: "2023-05-24T13:00:32Z"
  generation: 1
  name: broker-deployment
  namespace: quetzal
  resourceVersion: "19019"
  uid: 43b31f70-9362-443a-a944-52b688bd1f46
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: broker-deployment
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: broker-deployment
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: broker-deployment
    spec:
      containers:
      - command:
        - sh
        - -c
        - sleep 5h
        image: busybox
        imagePullPolicy: IfNotPresent
        name: sec-ctx-demo
        resources: {}
        securityContext:      # 添加
          allowPrivilegeEscalation: false  # 添加
          runAsUser: 30000    # 添加
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /data/demo
          name: sec-ctx-vol
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}

file