检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp spec: containers: - name: nginx image: nginx 不符合策略实例的资源定义 示例中的container
metadata: name: nginx-volume-types-allowed labels: app: nginx-volume-types spec: containers: - name: nginx image: nginx volumeMounts:
创建完成后,可以执行如下命令操作MCS对象。其中nginx为MCS对象的名称。 获取MCS对象:kubectl get mcs nginx 更新MCS对象:kubectl edit mcs nginx 删除MCS对象:kubectl delete mcs nginx 通过MCS访问服务 MCS对象
metadata: name: nginx-privileged-allowed labels: app: nginx-privileged spec: containers: - name: nginx image: nginx securityContext:
name: nginx image: nginx 不符合策略实例的资源定义 Pod的automountServiceAccountToken字段设为true,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-au
containers: - name: nginx image: nginx 不符合策略实例的资源定义 示例中hostPID和hostIPC均为true,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-namespace-disallowed
name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec:
beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor spec: containers: - name: nginx image: nginx 不符合策略实例的资源定义 示例
metadata: name: nginx-readonlyrootfilesystem-allowed labels: app: nginx-readonlyrootfilesystem spec: containers: - name: nginx image:
name: nginx-host-filesystem labels: app: nginx-host-filesystem-disallowed spec: containers: - name: nginx image: nginx
apiVersion: v1 kind: Pod metadata: name: nginx-host-networking-ports-allowed labels: app: nginx-host-networking-ports spec: hostNetwork:
name: nginx-privilege-escalation-allowed labels: app: nginx-privilege-escalation spec: containers: - name: nginx image: nginx
name: nginx-forbidden-sysctls-disallowed labels: app: nginx-forbidden-sysctls spec: containers: - name: nginx image: nginx securityContext:
metadata: name: nginx-proc-mount-disallowed labels: app: nginx-proc-mount spec: containers: - name: nginx image: nginx securityContext:
app: nginx replicas: 3 template: metadata: labels: app: nginx spec: containers: - name: nginx
name: nginx-flexvolume-driver-allowed labels: app: nginx-flexvolume-driver spec: containers: - name: nginx image: nginx volumeMounts:
edit命令将上面Deployment中的镜像修改为nginx:alpine。修改完成后再查询ReplicaSet和Pod,发现创建了一个新的ReplicaSet,Pod也重新创建了。 $ kubectl edit deploy nginx $ kubectl get rs NAME
metadata: name: nginx-selinux-allowed labels: app: nginx-selinux spec: containers: - name: nginx image: nginx securityContext:
略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-users-allowed labels: app: nginx-users spec: securityContext: supplementalGroups:
edit命令将上面Deployment中的镜像修改为nginx:alpine。修改完成后再查询ReplicaSet和Pod,发现创建了一个新的ReplicaSet,Pod也重新创建了。 $ kubectl edit deploy nginx $ kubectl get rs NAME