- Take me to the Lab
Solutions to Lab - Ensure Immutability of Containers at Runtime:
Details
Check if the pods are running with read-only root and do not use elevated privileges.
Answer: "All of them"
Details
It can write to the root filesystem
Details
# Use securityContext in the container section and add readOnlyRootFilesystem to true.
apiVersion: v1
kind: Pod
metadata:
labels:
name: triton
namespace: alpha
name: triton
namespace: alpha
spec:
containers:
- image: httpd
name: triton
securityContext:
readOnlyRootFilesystem: true
Details
CrashLoopBackOff
Details
# Inspect the logs to find out the reason.
/usr/local/apache2/logs is read-only
Details
apiVersion: v1
kind: Pod
metadata:
labels:
name: triton
name: triton
namespace: alpha
spec:
containers:
- image: httpd
name: triton
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /usr/local/apache2/logs
name: log-volume
volumes:
- name: log-volume
emptyDir: {}
Details
apiVersion: v1
kind: Pod
metadata:
name: grimsby
namespace: alpha
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
volumes:
- name: demo-volume
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 5h" ]
volumeMounts:
- name: demo-volume
mountPath: /data/demo
Details
kubectl -n alpha delete pod solaris