Kubernetes Pod Security Policy Default Privileged Value
Question
I am learning more about Kubernetes Pod Security Policies, and while going through the list of fields, I could not find the default value for the Privileged flag. Is this value dependent on the container runtime used? For example, Docker containers have this value set to false by default, so if I had a Kubernetes cluster with only Docker containers, would all the pods be unprivileged?
2 answers
solution1
1 2019-07-04 20:20:05
There is a privileged flag on the SecurityContext of the container spec. The default is false.
Foreexample by below template you can set it to true.
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world-container
# The container definition
# ...
securityContext:
privileged: true
solution2
1 ACCPTED 2019-07-05 03:12:38
In a fresh cluster the default PSP is very permissive which means that you pretty much anything is allowed. So the default would be to allow privileged containers if the privileged flag was toggled on the pod, same with root users, etc.
You will have to explicitly turn set the flag to true in the PSP if you want to enforce it. I believe this is true regardless of the Container runtime being used, works with Windows containers too :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.