Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

7.6.

중요

7.6.1. 

  1. $ oc new-project my-namespace

  2. apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
  namespace: my-namespace
  name: profile1
spec:
  defaultAction: SCMP_ACT_LOG

7.6.2. 

  1. apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: Localhost
      localhostProfile: operator/my-namespace/profile1.json
  containers:
    - name: test-container
      image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: [ALL]

  2. $ oc -n my-namespace get seccompprofile profile1 --output wide

    NAME       STATUS     AGE   SECCOMPPROFILE.LOCALHOSTPROFILE
profile1   Installed  14s   operator/my-namespace/profile1.json

  3. $ oc get sp profile1 --output=jsonpath='{.status.localhostProfile}'

    operator/my-namespace/profile1.json

  4. spec:
  template:
    spec:
      securityContext:
        seccompProfile:
          type: Localhost
          localhostProfile: operator/my-namespace/profile1.json

  5. $ oc -n my-namespace patch deployment myapp --patch-file patch.yaml --type=merge

    deployment.apps/myapp patched

  • $ oc -n my-namespace get deployment myapp --output=jsonpath='{.spec.template.spec.securityContext}' | jq .

    {
  "seccompProfile": {
    "localhostProfile": "operator/my-namespace/profile1.json",
    "type": "localhost"
  }
}

7.6.2.1. 

  1. apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileBinding
metadata:
  namespace: my-namespace
  name: nginx-binding
spec:
  profileRef:
    kind: SeccompProfile 1
    name: profile 2
  image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 3
    1
    2
    3
    중요

  2. $ oc label ns my-namespace spo.x-k8s.io/enable-binding=true

  3. apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test-container
    image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21

  4. $ oc create -f test-pod.yaml
    참고

  • $ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'

    {"localhostProfile":"operator/my-namespace/profile.json","type":"Localhost"}

7.6.3.

참고

  1. $ oc new-project my-namespace

  2. $ oc label ns my-namespace spo.x-k8s.io/enable-recording=true

  3. apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  namespace: my-namespace
  name: test-recording
spec:
  kind: SeccompProfile
  recorder: logs
  podSelector:
    matchLabels:
      app: my-app

  4. apiVersion: v1
kind: Pod
metadata:
  namespace: my-namespace
  name: my-pod
  labels:
    app: my-app
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: nginx
      image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
      ports:
        - containerPort: 8080
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: [ALL]
    - name: redis
      image: quay.io/security-profiles-operator/redis:6.2.1
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: [ALL]

  5. $ oc -n my-namespace get pods

    NAME     READY   STATUS    RESTARTS   AGE
my-pod   2/2     Running   0          18s

  6. $ oc -n openshift-security-profiles logs --since=1m --selector name=spod -c log-enricher

    I0523 14:19:08.747313  430694 enricher.go:445] log-enricher "msg"="audit" "container"="redis" "executable"="/usr/local/bin/redis-server" "namespace"="my-namespace" "node"="xiyuan-23-5g2q9-worker-eastus2-6rpgf" "pid"=656802 "pod"="my-pod" "syscallID"=0 "syscallName"="read" "timestamp"="1684851548.745:207179" "type"="seccomp"

  1. $ oc -n my-namepace delete pod my-pod

  2. $ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namespace

    NAME                   STATUS      AGE
test-recording-nginx   Installed   2m48s
test-recording-redis   Installed   2m48s

7.6.3.1. 

  1. apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  # The name of the Recording is the same as the resulting SeccompProfile CRD
  # after reconciliation.
  name: test-recording
  namespace: my-namespace
spec:
  kind: SeccompProfile
  recorder: logs
  mergeStrategy: containers
  podSelector:
    matchLabels:
      app: sp-record

  2. $ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true

  3. apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deploy
  namespace: my-namespace
spec:
  replicas: 3
  selector:
    matchLabels:
      app: sp-record
  template:
    metadata:
      labels:
        app: sp-record
    spec:
      serviceAccountName: spo-record-sa
      containers:
      - name: nginx-record
        image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
        ports:
        - containerPort: 8080

  4. $ oc delete deployment nginx-deploy -n my-namespace

  5. $ oc delete profilerecording test-recording -n my-namespace

  6. $ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namespace

    NAME                          STATUS       AGE
test-recording-nginx-record   Installed    55s

  7. $ oc get seccompprofiles test-recording-nginx-record -o yaml

Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.