Differences between revisions 3 and 4
Revision 3 as of 2021-10-23 09:20:33
Size: 349
Editor: PieterSmit
Comment: make more specific
Revision 4 as of 2021-10-23 09:23:19
Size: 570
Editor: PieterSmit
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:

 * In k8s, can set security on Pod or Container level.
   * Set under '''spec:''' for POD level, or move under '''containers:''' {{{
securityContext:
  runAsUser: 1000
  capabilities:
    add: ["MAC_ADMIN"]
}}}

k8s/StudyNotes/ Security Docker

  • Docker uses Namespace on linux does isolation, process still visible on host.
    • /usr/include/linux/capability.h
      • can limit capability's.

  • On Docker can add capabilities 

    docker run --cap-add MAC_ADMIN or --cap-drop or --privileged
  • In k8s, can set security on Pod or Container level.

    • Set under spec: for POD level, or move under containers: 

      securityContext:
  runAsUser: 1000
  capabilities:
    add: ["MAC_ADMIN"]

k8s/StudyNotes/SecurityDockerContainer (last edited 2021-10-23 09:23:19 by PieterSmit)