IronCore864

/**
 * This pipeline describes a multi container job, running Maven and Golang builds
 */

podTemplate(yaml: """
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: maven

IronCore864

vagrant@vagrant ~ $ ps -ef | grep hello
vagrant  18897 18407  0 08:50 pts/0    00:00:00 grep --color=auto hello
vagrant@vagrant ~ $ docker run -it -d ironcore864/go-hello-http
Unable to find image 'ironcore864/go-hello-http:latest' locally
latest: Pulling from ironcore864/go-hello-http
cbdbe7a5bc2a: Pull complete
73fe6db8eb7a: Pull complete
b33cd23ff126: Pull complete
Digest: sha256:8127dfa67b90029ab0d71f443287a3de6cea85f5ff2e7ad1c6988ef4d69a2839
Status: Downloaded newer image for ironcore864/go-hello-http:latest

IronCore864

vagrant@vagrant ~ $ ps ajf
 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
19286 19287 19287 19287 pts/1    19399 Ss    1000   0:00 -bash
19287 19399 19399 19287 pts/1    19399 R+    1000   0:00  \_ ps ajf
18406 18407 18407 18407 pts/0    19336 Ss    1000   0:00 -bash
18407 19336 19336 18407 pts/0    19336 S+       0   0:00  \_ sudo ./my-sleep 100
19336 19337 19336 18407 pts/0    19336 S+       0   0:00      \_ ./my-sleep 100
    1   960   960   960 tty1       960 Ss+      0   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux

IronCore864

vagrant@vagrant ~ $ ps ajf
 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
19286 19287 19287 19287 pts/1    19408 Ss    1000   0:00 -bash
19287 19408 19408 19287 pts/1    19408 R+    1000   0:00  \_ ps ajf
18406 18407 18407 18407 pts/0    19405 Ss    1000   0:00 -bash
18407 19405 19405 18407 pts/0    19405 S+       0   0:00  \_ sudo ./my-sleep 100
19405 19406 19405 18407 pts/0    19405 S+    1000   0:00      \_ ./my-sleep 100
    1   960   960   960 tty1       960 Ss+      0   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux

IronCore864

NAME             PRIV   CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
eks.privileged   true   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

IronCore864

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: eks.privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:

IronCore864

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:

IronCore864

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:

IronCore864

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: eks:podsecuritypolicy:privileged
  namespace: kube-system
  labels:
      kubernetes.io/cluster-service: "true"
      eks.amazonaws.com/component: pod-security-policy
rules:

IronCore864

apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
    - name: test
      # run as user 0
      image: docker.io/ironcore864/go-hello-http:root