模拟题目:
设置配置环境:
[candidate@node-1] $ kubectl config use-context k8s
Task
修改运行在 namespace quetzal 名为 broker-deployment 的现有 Deployment 使其容器
- 以用户 30000 运行
- 禁止特权提升。
您可以在 /ckad/daring-moccasin/broker-deployment.yaml 找 到 broker-deployment 的清单文件
参考:
https://www.hao.kim/1104.html https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/security-context/
kubectl explain deployment.spec.template.spec.containers.securityContext
解答:
切换环境
kubectl config use-context k8s
查看并编辑对应的deployment
kubectl -n quetzal get deployments.apps
kubectl -n quetzal edit deployments.apps broker-deployment
在 spec.template.spec.containers 下添加 securityContext
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
kubectl.kubernetes.io/last-applied-configuration: |
creationTimestamp: "2023-05-24T13:00:32Z"
generation: 1
name: broker-deployment
namespace: quetzal
resourceVersion: "19019"
uid: 43b31f70-9362-443a-a944-52b688bd1f46
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: broker-deployment
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: broker-deployment
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: broker-deployment
spec:
containers:
- command:
- sh
- -c
- sleep 5h
image: busybox
imagePullPolicy: IfNotPresent
name: sec-ctx-demo
resources: {}
securityContext: # 添加
allowPrivilegeEscalation: false # 添加
runAsUser: 30000 # 添加
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /data/demo
name: sec-ctx-vol
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}