容器中指定固定的用户:spec.containers.securityContext.runAsUser: uid

容器内不允许root用户：spec.container.securityContext.runAsNonRoot:true

使用特权模式运行容器：spec.containers.securityContext.privileged:true

为容器添加固定的内核成果：spec.containers.securityContext.capabilities.add:ADD_TIME(改削系统时间)

在容器中禁用内核：spec.containers.securityContext.capabilities.drop:ADD_TIME

阻止对容器根目录的写入：spec.containers.securityContext.readOnlyRootFilesystem:true

容器中的上下文限制，，在pod仍然适用

差别用户共享存储卷：spec.securityContext.fsGroup和spec.securityContext.supplementalGroups

RBAC与PodSecurityPolicy结合 界说PodSecurityPolicy

default

apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: default namespace: default spec: hostIPC: false hostPID: false hostNetwork: false hostPorts: - min: 10000 max: 11000 - min: 13000 max: 14000 privileged: true readOnlyRootFilesystem: false runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny supplementalGroups: rule: RunAsAny seLinux: rule: RunAsAny volumes: - '*'

privileged

apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: privileged namespace: default spec: hostIPC: false hostPID: false hostNetwork: false hostPorts: - min: 10000 max: 11000 - min: 13000 max: 14000 privileged: true readOnlyRootFilesystem: false runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny supplementalGroups: rule: RunAsAny seLinux: rule: RunAsAny volumes: - '*' 界说clusterRole kubectl create clusterrole psp-default --verb=use --resources=podsecuritypolicy --resource-name=default kubectl create clusterrole psp-privileged --verb=use --resources=podsecuritypolicy --resource-name=privileged 界说clusterrolebinding kubectl create clusterrolebinding --clusterrole=psp-default --Groups=system:authenticated kubectl create clusterrolebinding --clusterrole=psp-privileged --user=admin 适用admin1创建privileged=true的Pod kubectl create -f centos_1.yaml Error from server (Forbidden): error when creating "centos_1.yaml": pods "centos5" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

Kubernetes保证集群内节点和网络安适