I need to allow the ranges 0-1000, and 6000-7000 to be used for application deployments, and forbid all others.
Does this configuration will prevent someone to exec into pod/container and can switch to some other uid/gid?
Linux does not normally permit non-root users to exec as other UID/GIDs without something like sudo
. As long as you also limit capabilities, privileged
, privilege escalation and unsafe mount types, you can be fairly certain your pods will only run with processes as the UID/GIDs that you specify.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.