For the reasons of security, many container deployments nowadays run their workloads in a scratch based image. This form of implementation helps reduce the attack surface since there is no shell to gain access to, especially if someone were to break out of the application.
Seccomp helps us limit the system calls the process inside container can make. And
PodSecurityPolicy is the way to enable it on pods in Kubernetes.
Watch from 55m59s
The Kubernetes Bangalore Meetup was organized at Arvind Internet on Feb 16th 2019. The agenda for the meetup was to teach Kubernetes to the beginners.
If you want to provide extra flags to the
kube-apiserver that runs inside minikube how do you do it? You can use the minikube’s
--extra-config flag with
apiserver.<apiserver flag>=<value>, for e.g. if you want to enable
RBAC authorization mode you do it as follows:
A volume mount CVE was discovered in Kubernetes 1.9 and older which allowed access to node file system using
emptyDir volume mount using subpath. The official description goes as follows:
Few days back I wrote a blog about adding new node to the cluster using the static token file. The problem with that approach is that you need to restart
kube-apiserver providing it the path to the token file. Here we will see how to use the bootstrap token, which is very dynamic in nature and can be controlled by using Kubernetes resources like
I enabled PodSecurityPolicy on a minikube cluster by appending
PodSecurityPolicy to the apiserver flag in minikube like this:
I passed CKA exam with 92% marks on 19th October 2018.
The setup here is created by following Kubernetes the Hard Way by Kelsey Hightower. So if you are following along in this then do all the setup till the step Bootstrapping the Kubernetes Worker Nodes. In this just don’t start the
kubelet, start other services like