CKS Immutability of containers at runtime
CKS Immutability of containers at runtime
Posted Updated 
By
1 min read
- advanced deployment methods
- easy rollback
- more reliability
- better security (on container level)
Interesting example of how ‘‘startupProbe’’ can be used to make container a bit more secure
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@cks-master:~# cat immutable.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: immutable
name: immutable
spec:
containers:
- image: httpd
name: immutable
resources: {}
startupProbe:
exec:
command:
- rm
- /bin/bash
initialDelaySeconds: 1
periodSeconds: 5
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
ReadOnlyRootFilesystem example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cat immutable.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: immutable
name: immutable
spec:
containers:
- image: httpd
name: immutable
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: pid
mountPath: "/usr/local/apache2/logs/"
volumes:
- name: pid
emptyDir: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
If you come from Docker world
Task
Generate pod receip
1
k run pod-ro -n sun --image=busybox:1.32.0 --dry-run=client -oyaml --command -- sh -c 'sleep 1d' > pod.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
controlplane $ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: pod-ro
name: pod-ro
namespace: sun
spec:
containers:
- command:
- sh
- -c
- sleep 1d
image: busybox:1.32.0
name: pod-ro
resources: {}
securityContext:
readOnlyRootFilesystem: true
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
This post is licensed under CC BY 4.0 by the author.