Pod

์ด๋ฏธ์ง€ ํƒœ๊ทธ

์‚ฌ์šฉ์‹œ ๊ผญ ํƒœ๊ทธ ๋„˜๋ฒ„๋ฅผ ์‚ฌ์šฉ ์•„๋ฌด๊ฒƒ๋„ ์•ˆ์“ฐ๋ฉด latest๊ฐ€ ์ž๋™์œผ๋กœ ๋ถ™๋Š”๋‹ค.

latest ๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ๋ง์ž. ๊ณ„์† ๋ฒ„์ „์ด ๋ฐ”๋€Œ๋ฏ€๋กœ ๋ฌธ์ œ๊ฐ€ ๋œ๋‹ค.

์‚ฌ์‹ค sha ํƒœ๊ทธ๋„ ์ค‘๋ณต์ด ๋œ๋‹ค. ๊ฐ€๋Šฅํ•˜๋ฉด container digest๋ฅผ ์‚ฌ์šฉํ•˜์ž.

digest๋Š” ์œ ์ผํ•˜๋‹ค.

docker image ls --digests

ํ™˜๊ฒฝ๋ณ€์ˆ˜์˜ ์ตœ๋Œ€๊ฐ’์€ 32KiB๋กœ ์ œํ•œ

delete completed pod

kubectl delete pod --field-selector=status.phase==Succeeded

env๋ฅผ configmap์œผ๋กœ ์ด์šฉํ•˜๊ธฐ

configmap ์ด ์žˆ๋Š” ์ƒํ™ฉ์—์„œ pod์—์„œ env๊ฐ’์œผ๋กœ configmap์„ ์ด์šฉํ•˜๊ธฐ

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: ['/bin/sh', '-c', 'env']
      env:
        # Define the environment variable
        - name: SPECIAL_LEVEL_KEY
          valueFrom:
            configMapKeyRef:
              # The ConfigMap containing the value you want to assign to SPECIAL_LEVEL_KEY
              name: special-config
              # Specify the key associated with the value
              key: special.how
  restartPolicy: Never

envFrom๋ฅผ configmap์œผ๋กœ ์ด์šฉํ•˜๊ธฐ

apiVersion: v1
kind: Pod
metadata:
  name: dapi-test-pod
spec:
  containers:
    - name: test-container
      image: k8s.gcr.io/busybox
      command: ['/bin/sh', '-c', 'env']
      envFrom:
        - configMapRef:
            name: special-config
  restartPolicy: Never

์ด๋ ‡๊ฒŒ ํ•˜๋ฉด configmap์— ์žˆ๋˜ ๋ชจ๋“  ๋‚ด์šฉ์ด env๊ฐ’์œผ๋กœ ๋ณ€ํ™˜๋œ๋‹ค.

securityContext

root๊ฐ€ ์•„๋‹Œ ์‚ฌ์šฉ์ž๋กœ ์ปจํ…Œ์ด๋„ˆ ์‹คํ–‰ํ•˜๊ธฐ

apiVersion: v1
kind: Pod
metadata:
  name: securityContext
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000

๋„์ปค ์ด๋ฏธ์ง€์—์„œ๋„ ์ง€์ •์ด ๊ฐ€๋Šฅํ•˜๋‚˜ ์ด๋ ‡๊ฒŒ ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์—์„œ ๋ณ€๊ฒฝ๋„ ๊ฐ€๋Šฅํ•˜๋‹ค.

1000๋ฒˆ์€ ๋ฆฌ๋ˆ…์Šค์—์„œ ์ฒ˜์Œ ์œ ์ €๊ฐ€ ๊ฐ€์ง€๋Š” ๋ฒˆํ˜ธ์ด๋ฏ€๋กœ 1000๋ฒˆ ์ด์ƒ์„ ์‚ฌ์šฉํ•˜๋Š”๊ฒŒ ์ข‹๋‹ค.

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๊ฐ€ ๋„์ปค์˜ ๋ชจ๋“  ์œ ์ € ์„ค์ •์„ ๋ฎ์–ด์“ด๋‹ค.

๊ฐ ์ปจํ…Œ์ด๋„ˆ๋งˆ๋‹ค ๋‹ค๋ฅธ uid๋ฅผ ์ถ”์ฒœํ•œ๋‹ค.

๋‘๊ฐœ์˜ ์ปจํ…Œ์ด๋„ˆ๊ฐ€ ๋™์ผํ•œ ๋ฐ์ดํ„ฐ์— ์ ‘๊ทผํ•˜๋ฉด uid๋Š” ๊ฐ™์•„์•ผํ•œ๋‹ค.

root container ์ฐจ๋‹จํ•˜๊ธฐ

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๊ฐ€ container๊ฐ€ root๋กœ ์‹คํ–‰๋˜๋Š”๊ฒƒ์„ ๋ฐฉ์ง€ํ•ด์ฃผ๋Š” ์˜ต์…˜์„ ์ œ๊ณต

apiVersion: v1
kind: Pod
# ...
spec:
  securityContext:
    runAsNonRoot: true

root๋กœ ์‹คํ–‰๋˜๋Š”๊ฒƒ์„ ๋ฐฉ์ง€ํ•ด์ค€๋‹ค.

CreateContainerConfigError: container 'root' is not allowed to run as root ๋ฐœ์ƒ

readOnlyRootFile

apiVersion: v1
kind: Pod
# ...
spec:
  securityContext:
    readOnlyRootFileSystem: true

์ปจํ…Œ์ด๋„ˆ์— ์“ฐ๊ธฐ ๊ถŒํ•œ์ด ํ•„์š”ํ•˜์ง€ ์•Š์œผ๋ฉด ์˜ต์…˜์„ ์‚ฌ์šฉํ•˜์ž.

๊ถŒํ•œ ์ƒ์Šน ๋น„ํ™œ์„ฑํ™”

apiVersion: v1
kind: Pod
# ...
spec:
  securityContext:
    allowPrivilegeEscalation: false

๋ฆฌ๋ˆ…์Šค ๋ฐ”์ด๋„ˆ๋ฆฌ๋Š” ์ด๋ฅผ ์‹คํ–‰ํ•œ ์‚ฌ์šฉ์ž์™€ ๊ฐ™์€ ๊ถŒํ•œ์œผ๋กœ ์‹คํ–‰๋œ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์˜ˆ์™ธ๋Š” ์žˆ๋‹ค.

seuid ๋งค์ปค๋‹ˆ์ฆ์„ ์‚ฌ์šฉํ•˜๋ฉด ์ผ์‹œ์ ์œผ๋กœ ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์†Œ์œ ํ•œ ์‚ฌ์šฉ์ž(์ผ๋ฐ˜์ ์œผ๋กœ root)์˜ ๊ถŒํ•œ์œผ๋กœ ์‹คํ–‰ํ• ์ˆ˜ ์žˆ๋‹ค.

์ปจํ…Œ์ด๋„ˆ๋ฅผ ์ผ๋ฐ˜ ์‚ฌ์šฉ์ž๋กœ ์‹คํ–‰ํ•˜๋”๋ผ๋„ ์ปจํ…Œ์ด๋„ˆ๊ฐ€ setuid ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ๊ฒฝ์šฐ์— ์ปจํ…Œ์ด๋„ˆ์—์„œ root ๊ถŒํ•œ์„ ์–ป์„์ˆ˜ ์ž‡์œผ๋ฏ€๋กœ ์ž ์žฌ์ ์ธ ๋ฌธ์ œ๊ฐ€ ๋œ๋‹ค. ์ด๋ฅผ ๋ฐฉ์ง€ํ•˜๊ธฐ์œ„ํ•ด allowPrivilegeEscalation ๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค.

์ปจํ…Œ์ด๋„ˆ ๋‹จ์œ„๋กœ ๊ถŒํ•œ ์„ค์ •

์œ„ ์„ค์ •๋“ค์€ pod๊ฐ€ ์•„๋‹ˆ๋ผ ์ปจํ…Œ์ด๋„ˆ ์ˆ˜์ค€์œผ๋กœ ์˜ฌ๋ผ๊ฐˆ์ˆ˜๋„ ์žˆ๋‹ค.

Last updated

Was this helpful?