非root用户运行容器
设置运行的用户及用户组
不允许越权
这样不以root用户运行容器 安全一些
apiVersion: v1
kind: Pod
metadata:
name: "myapp"
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 2000
volumes:
- name: security
emptyDir: {}
containers:
- name: myapp
image: busybox
command: ['sh','-c','sleep 1h']
resources:
limits:
cpu: 200m
memory: 500Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: security
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
将此pod跑起来之后就可以看到用户的变化