349
Comment: make more specific
|
← Revision 4 as of 2021-10-23 09:23:19 ⇥
570
|
Deletions are marked like this. | Additions are marked like this. |
Line 11: | Line 11: |
* In k8s, can set security on Pod or Container level. * Set under '''spec:''' for POD level, or move under '''containers:''' {{{ securityContext: runAsUser: 1000 capabilities: add: ["MAC_ADMIN"] }}} |
k8s/StudyNotes/ Security Docker
- Docker uses Namespace on linux does isolation, process still visible on host.
- /usr/include/linux/capability.h
- can limit capability's.
- /usr/include/linux/capability.h
On Docker can add capabilities
docker run --cap-add MAC_ADMIN or --cap-drop or --privileged
- In k8s, can set security on Pod or Container level.
Set under spec: for POD level, or move under containers:
securityContext: runAsUser: 1000 capabilities: add: ["MAC_ADMIN"]