特権(privileged)コンテナの作成、実行ユーザー変更、ホスト・ディレクトリへのマウントを実施する必要があり、設定方法を確認。
実行環境:
IBM Cloud Kubernetes Service (IKS) v1.18
サンプル・コンテナ① 特権とroot 起動設定
sample-container1.yaml
apiVersion: v1
kind: Pod
metadata:
name: sample-container
spec:
securityContext: #<= add
runAsUser: 0 #<= add
containers:
- name: sample-container
image: centos:7
securityContext: #<= add
privileged: true #<= add
command: ["/bin/sleep", "1200000"]
- runAsUser 0 で rootで稼働
- "securityContext: privileged: ture "を追加
サンプル・コンテナ② 特権とroot 起動設定ホスト・ディレクトリへのマウントを設定
sample-container2.yaml
apiVersion: v1
kind: Pod
metadata:
name: sample-container
spec:
securityContext: #<= add
runAsUser: 0 #<= add
containers:
- name: sample-container
image: centos:7
securityContext: #<= add
privileged: true #<= add
command: ["/bin/sleep", "1200000"]
volumeMounts:
- mountPath: /test #<= コンテナの/test ディレクトリにホストの/etcをマウント
name: test-hostpath
volumes:
- name: test-hostpath
hostPath: #<= hostPath 設定
path: /etc #<= /etc を指定
type: Directory
Pod 作成
$ kubectl apply -f sample-container.yml
pod/sample-container created
ログイン
$ kubectl exec -it sample-container -- /bin/sh
sh-4.2# whoami
root
sh-4.2# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-> centOS 7 で rootで稼働していることを確認
sh-4.2# ls /
anaconda-post.log bin dev etc home lib lib64 media mnt opt proc root run sbin srv sys test tmp usr var
sh-4.2# ls /test
NetworkManager debconf.conf iscsi netconfig rsyslog.conf
X11 debian_version issue netplan rsyslog.d
acpi default issue.net network screenrc
adduser.conf deluser.conf kernel networkd-dispatcher securetty
alternatives depmod.d kernel-img.conf networks security
apm dhcp kubernetes newt selinux
apparmor dnsmasq.d landscape nsswitch.conf services
apparmor.d dnsmasq.d-available ld.so.cache ntp.conf shadow
apport dpkg ld.so.conf opt shadow-
apt ec2_version ld.so.conf.d os-release shells
armada environment ldap overlayroot.conf skel
armadabootstrap ethertypes legal overlayroot.local.conf sos.conf
at.allow fonts libaudit.conf pam.conf ssh
bash.bashrc fstab libibverbs.d pam.d ssl
bash_completion fuse.conf libnl-3 passwd subgid
bash_completion.d gai.conf locale.alias passwd- subgid-
bindresvport.blacklist groff locale.gen perl subuid
binfmt.d group localtime pm subuid-
byobu group- logcheck polkit-1 sudoers
ca-certificates grub.d login.defs pollinate sudoers.d
ca-certificates.conf gshadow logrotate.conf popularity-contest.conf sysctl.conf
ca-certificates.conf.dpkg-old gshadow- logrotate.d profile sysctl.d
calendar gss lsb-release profile.d systemd
cloud haproxy ltrace.conf protocols terminfo
cni hdparm.conf lvm python3 timezone
console-setup host.conf machine-id python3.6 tmpfiles.d
containerd hostname magic rc0.d ucf.conf
cracklib hosts magic.mime rc1.d udev
crictl.yaml hosts.allow mailcap rc2.d ufw
cron.allow hosts.deny mailcap.order rc3.d update-manager
cron.d hosts_bk manpath.config rc4.d update-motd.d
cron.daily idmapd.conf mdadm rc5.d update-notifier
cron.hourly init mime.types rc6.d updatedb.conf
cron.monthly init.d mke2fs.conf rcS.d vim
cron.weekly initramfs-tools modprobe.d request-key.conf vmware-tools
crontab inputrc modules request-key.d vtrgb
cryptsetup-initramfs insserv.conf.d modules-load.d resolv.conf wgetrc
crypttab iproute2 mtab rmt xdg
dbus-1 iptables nanorc rpc zsh_command_not_found
-> /test にホストのディレクトリがマウントされていることを確認
参考:
・Configure a Security Context for a Pod or Container
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
・Podセキュリティの標準
https://kubernetes.io/ja/docs/concepts/security/pod-security-standards/
・Volumes
https://kubernetes.io/docs/concepts/storage/volumes/