安全策略

非root用户运行容器

设置运行的用户及用户组
不允许越权
这样不以root用户运行容器 安全一些

apiVersion: v1
kind: Pod
metadata:
  name: "myapp"
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 2000
  volumes:
  - name: security
    emptyDir: {}
  containers:
  - name: myapp
    image: busybox
    command: ['sh','-c','sleep 1h']
    resources:
      limits:
        cpu: 200m
        memory: 500Mi
      requests:
        cpu: 100m
        memory: 200Mi
    volumeMounts:
    - name: security
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

将此pod跑起来之后就可以看到用户的变化