Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Kubernetes 为什么k8s示例受限PodSecurityPolicy不限制RunAsGroup?_Kubernetes_Podsecuritypolicy - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • Kubernetes 为什么k8s示例受限PodSecurityPolicy不限制RunAsGroup?

Kubernetes 为什么k8s示例受限PodSecurityPolicy不限制RunAsGroup?

kubernetes

Kubernetes 为什么k8s示例受限PodSecurityPolicy不限制RunAsGroup?,kubernetes,podsecuritypolicy,Kubernetes,Podsecuritypolicy,K8s文档中有一个受限PodSecurityPolicy的示例: 它限制“补充组”和“fsGroup”,但不限制“runAsGroup” supplementalGroups: rule: 'MustRunAs' ranges: # Forbid adding the root group. - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: #

K8s文档中有一个受限PodSecurityPolicy的示例:

它限制“补充组”和“fsGroup”,但不限制“runAsGroup”

  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
因此,它允许securityContext中的容器指定id为0的根组。这不是个问题吗?下面的句子不应该吗

  runAsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
被添加到限制性的podsecruitipolicy中

难道不应该在限制性的PodSecruityPolicy中添加以下内容吗

这是一个限制您的组的选项,如果您没有,那么您的主要组将不会受到限制。所以基本上,pod仍然可以作为root
组0运行容器


supplementalGroups
是指除了主要组(次要组)之外添加到用户的任何其他组。In*nix系统