堆栈内存溢出
  简体   繁体   English

Kubernetes pod 安全策略 uid/gid 范围

[英]Kubernetes pod security policies uid/gid ranges

 原文  2019-10-10 21:09:43       security/ kubernetes

问题描述

I need to allow the ranges 0-1000, and 6000-7000 to be used for application deployments, and forbid all others.我需要允许范围 0-1000 和 6000-7000 用于应用程序部署,并禁止所有其他范围。

Does this configuration will prevent someone to exec into pod/container and can switch to some other uid/gid?此配置是否会阻止某人执行到 pod/container 并可以切换到其他一些 uid/gid?

1 个解决方案

解决方案1
 0  2019-10-11 04:32:34

Linux does not normally permit non-root users to exec as other UID/GIDs without something like sudo . Linux 通常不允许非 root 用户在没有类似sudo的情况下作为其他 UID/GID 执行。 As long as you also limit capabilities, privileged , privilege escalation and unsafe mount types, you can be fairly certain your pods will only run with processes as the UID/GIDs that you specify.只要您还限制功能、 privileged 、特权升级和不安全的挂载类型,您就可以相当确定您的 pod 将仅使用您指定的 UID/GID 进程运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么很多服务器都改变它的uid和gid,有什么好处? - Why many servers change its uid and gid,what's the benefit? Firefox扩展安全策略 - Firefox Extension Security Policies Android安全性更改UID - Android Security Changing UID 具有Java安全策略的嵌入式Jetty - Embedded Jetty with Java Security Policies 是否应该在Nginx中设置安全标头/策略或表达? - Should security headers/policies be set in nginx or express? 内容安全策略是否支持通配符后缀 - Do Content Security Policies support a wildcard suffix Kubernetes 部署中的安全上下文 - security context in kubernetes deployment 通过 kubernetes 中的 Gatekeeper 应用 ServiceAccount 特定的 OPA 策略 - Applying ServiceAccount specific OPA policies through Gatekeeper in kubernetes 当我有两个 CSP(内容安全策略)策略 - 标头和元时会发生什么? - What is happening when I have two CSP (Content Security Policies) policies - header & meta? 如何实现多个Content-Security-Policies和标头? - How to implement multiple Content-Security-Policies and headers?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM