k8s中的Security Context通常用于安全考虑,限制pod对host系统文件权限读取或者限制其对系统资源的使用。默认情况下,如果不使用Security Context,则pod默认会以root用户运行,在pod的从天儿中运行程序时,容易对某些对安全要求较高的系统造成损害。
详情参看官方:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: nginx name: nginx spec:
securityContext:
runAsUser: 100
runAsGroup: 1000
fsGroup: 205 containers: - image: nginx name: nginx resources: {}
volumeMounts:
- name: host-vol
mountPath: /etc/local dnsPolicy: ClusterFirst restartPolicy: Always
volumes:
- name: host-vol
hostPath:
path: /usr/shared/test status: {}
Resource资源定义表明了pod在运行期间,占据host资源的请求与限制使用,通常对resources分为requests与limits。字如其面,对系统资源的请求与最大限制
详情参考官方
两种方式可以在pod创建resources
kubectl run nginx --image=nginx --ports=80 --restart=Never --requests="cpu=250m,memory=256Mi" --limits="cpu=500m,memory=512Mi"
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: nginx name: nginx spec: containers: - image: nginx name: nginx resources: limits: cpu: 500m memory: 512Mi requests: cpu: 250m memory: 256Mi dnsPolicy: ClusterFirst restartPolicy: Never status: {}
Service account应用于在pod的容器中运行的进程
详情参看官方:
同样,有命令行和YAMl文件来定义service account
kubectl create sa nginx kubectl run nginx --image=nginx --serviceaccount=nginx --ports=80 --restart=Never
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: nginx name: nginx spec: serviceAccountName: nginx containers: - image: nginx name: nginx dnsPolicy: ClusterFirst restartPolicy: Never status: {}
Kubernetes中的Security Context, Resource requirement和Service Account
原文:https://www.cnblogs.com/kknight/p/14835475.html