This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* This pipeline describes a multi container job, running Maven and Golang builds | |
*/ | |
podTemplate(yaml: """ | |
apiVersion: v1 | |
kind: Pod | |
spec: | |
containers: | |
- name: maven |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vagrant@vagrant ~ $ ps -ef | grep hello | |
vagrant 18897 18407 0 08:50 pts/0 00:00:00 grep --color=auto hello | |
vagrant@vagrant ~ $ docker run -it -d ironcore864/go-hello-http | |
Unable to find image 'ironcore864/go-hello-http:latest' locally | |
latest: Pulling from ironcore864/go-hello-http | |
cbdbe7a5bc2a: Pull complete | |
73fe6db8eb7a: Pull complete | |
b33cd23ff126: Pull complete | |
Digest: sha256:8127dfa67b90029ab0d71f443287a3de6cea85f5ff2e7ad1c6988ef4d69a2839 | |
Status: Downloaded newer image for ironcore864/go-hello-http:latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vagrant@vagrant ~ $ ps ajf | |
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND | |
19286 19287 19287 19287 pts/1 19399 Ss 1000 0:00 -bash | |
19287 19399 19399 19287 pts/1 19399 R+ 1000 0:00 \_ ps ajf | |
18406 18407 18407 18407 pts/0 19336 Ss 1000 0:00 -bash | |
18407 19336 19336 18407 pts/0 19336 S+ 0 0:00 \_ sudo ./my-sleep 100 | |
19336 19337 19336 18407 pts/0 19336 S+ 0 0:00 \_ ./my-sleep 100 | |
1 960 960 960 tty1 960 Ss+ 0 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vagrant@vagrant ~ $ ps ajf | |
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND | |
19286 19287 19287 19287 pts/1 19408 Ss 1000 0:00 -bash | |
19287 19408 19408 19287 pts/1 19408 R+ 1000 0:00 \_ ps ajf | |
18406 18407 18407 18407 pts/0 19405 Ss 1000 0:00 -bash | |
18407 19405 19405 18407 pts/0 19405 S+ 0 0:00 \_ sudo ./my-sleep 100 | |
19405 19406 19405 18407 pts/0 19405 S+ 1000 0:00 \_ ./my-sleep 100 | |
1 960 960 960 tty1 960 Ss+ 0 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES | |
eks.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: eks.privileged | |
annotations: | |
kubernetes.io/description: 'privileged allows full unrestricted access to | |
pod features, as if the PodSecurityPolicy controller was not enabled.' | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' | |
labels: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: privileged | |
annotations: | |
kubernetes.io/description: 'privileged allows full unrestricted access to | |
pod features, as if the PodSecurityPolicy controller was not enabled.' | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' | |
labels: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: example | |
spec: | |
privileged: false # Don't allow privileged pods! | |
# The rest fills in some required fields. | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: eks:podsecuritypolicy:privileged | |
namespace: kube-system | |
labels: | |
kubernetes.io/cluster-service: "true" | |
eks.amazonaws.com/component: pod-security-policy | |
rules: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: test | |
spec: | |
containers: | |
- name: test | |
# run as user 0 | |
image: docker.io/ironcore864/go-hello-http:root |