pod进程的运行用户

kubernetes
字数统计: 556   |   阅读时长≈ 3 分钟

pod进程的运行用户

配置位置:Deployment.spec.template.spec.containers.securityContext

在k8s v1.16.2 中没有fsGroup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
spec:
  containers:
  - name: redis
    image: registry.cn-shanghai.aliyuncs.com/outsrkem/redis:5.0.2-tools
    ports:
    - name: http
      containerPort: 6379
      protocol: TCP
    volumeMounts:
    - name: vol-logstash-volume
      mountPath: /usr/local/redis/conf/conf.d/
    securityContext:
      runAsNonRoot: true
      runAsUser: 1200

效果如下,相当于Dockerfile中的USER 参数指定的用户一样。

1
2
3
4
5
6
[redis@redis-pod-cm-1-7fb75f45bd-ts8mf redis]$ id
uid=1200(redis) gid=1200(redis) groups=1200(redis)
[redis@redis-pod-cm-1-7fb75f45bd-ts8mf redis]$ ps axu 
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
redis         1  0.1  0.1  50248  2676 ?        Ssl  10:57   0:00 redis-server 0.0.0.0:6379
redis       102  0.0  0.1  12364  2496 pts/0    Ss   11:05   0:00 bash

volumes配置权限

为volumes配置权限Deployment.spec.template.spec.volumes.configMap.defaultMode,

此权限只针对挂载的文件生效,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
spec:
  containers:
  - name: redis
    image: registry.cn-shanghai.aliyuncs.com/outsrkem/redis:5.0.2-tools
    ports:
    - name: http
      containerPort: 6379
      protocol: TCP
    volumeMounts:
    - name: vol-logstash-volume
      mountPath: /usr/local/redis/conf/conf.d/
    securityContext:
      runAsUser: 1200
  volumes:
  - name: vol-logstash-volume
    configMap:
      name: logstash-config
      defaultMode: 0600

效果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[redis@redis-pod-cm-1-7fb75f45bd-ts8mf conf]$ find . -exec ls -l {} \;
total 64
drwxrwxrwx 3 root root   151 Nov  1 10:57 conf.d  # 挂载在这个目录下
total 0
lrwxrwxrwx 1 root root 26 Nov  1 10:57 02-beats-input.conf -> ..data/02-beats-input.conf
lrwxrwxrwx 1 root root 21 Nov  1 10:57 10-syslog.conf -> ..data/10-syslog.conf
lrwxrwxrwx 1 root root 20 Nov  1 10:57 11-nginx.conf -> ..data/11-nginx.conf
lrwxrwxrwx 1 root root 21 Nov  1 10:57 30-output.conf -> ..data/30-output.conf
total 16
-rw------- 1 root root  41 Nov  1 10:57 02-beats-input.conf  # 这里是生效的权限
-rw------- 1 root root 456 Nov  1 10:57 10-syslog.conf
-rw------- 1 root root 113 Nov  1 10:57 11-nginx.conf
-rw------- 1 root root 151 Nov  1 10:57 30-output.conf
-rw------- 1 root root 41 Nov  1 10:57 ./conf.d/..2020_11_01_02_57_10.956627988/02-beats-input.conf
-rw------- 1 root root 456 Nov  1 10:57 ./conf.d/..2020_11_01_02_57_10.956627988/10-syslog.conf
-rw------- 1 root root 113 Nov  1 10:57 ./conf.d/..2020_11_01_02_57_10.956627988/11-nginx.conf
-rw------- 1 root root 151 Nov  1 10:57 ./conf.d/..2020_11_01_02_57_10.956627988/30-output.conf
lrwxrwxrwx 1 root root 21 Nov  1 10:57 ./conf.d/10-syslog.conf -> ..data/10-syslog.conf
lrwxrwxrwx 1 root root 20 Nov  1 10:57 ./conf.d/11-nginx.conf -> ..data/11-nginx.conf
lrwxrwxrwx 1 root root 21 Nov  1 10:57 ./conf.d/30-output.conf -> ..data/30-output.conf
lrwxrwxrwx 1 root root 26 Nov  1 10:57 ./conf.d/02-beats-input.conf -> ..data/02-beats-input.conf
lrwxrwxrwx 1 root root 31 Nov  1 10:57 ./conf.d/..data -> ..2020_11_01_02_57_10.956627988


打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2018-2024 Outsrkem
  • 访问人数: | 浏览次数:

      请我喝杯咖啡吧~

      支付宝
      微信