k8s中的Security Context通常用于安全考虑,限制pod对host系统文件权限读取或者限制其对系统资源的使用。默认情况下,如果不使用Security Context,则pod默认会以root用户运行,在pod的从天儿中运行程序时,容易对某些对安全要求较高的系统造成损害。
详情参看官方:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
securityContext:
runAsUser: 100
runAsGroup: 1000
fsGroup: 205
containers:
- image: nginx
name: nginx
resources: {}
volumeMounts:
- name: host-vol
mountPath: /etc/local
dnsPolicy: ClusterFirst
restartPolicy: Always
volumes:
- name: host-vol
hostPath:
path: /usr/shared/test
status: {}
Resource资源定义表明了pod在运行期间,占据host资源的请求与限制使用,通常对resources分为requests与limits。字如其面,对系统资源的请求与最大限制
详情参考官方
两种方式可以在pod创建resources
kubectl run nginx --image=nginx --ports=80 --restart=Never --requests="cpu=250m,memory=256Mi" --limits="cpu=500m,memory=512Mi"
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
Service account应用于在pod的容器中运行的进程
详情参看官方:
同样,有命令行和YAMl文件来定义service account
kubectl create sa nginx kubectl run nginx --image=nginx --serviceaccount=nginx --ports=80 --restart=Never
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx
name: nginx
spec:
serviceAccountName: nginx
containers:
- image: nginx
name: nginx
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
Kubernetes中的Security Context, Resource requirement和Service Account
原文:https://www.cnblogs.com/kknight/p/14835475.html