Tiexin Guo IronCore864

## gist:dbfeec144607ac3ee5c3429bbe561de6
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:

## gist:efd8f5f290b2a0677d791244dc7d9dfd
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:

## gist:7412f70e7a2b410f7451d74655040dd0
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: eks.privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:

## gist:5086caf7a98cb356e288f7e3cae47047
NAME             PRIV   CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
eks.privileged   true   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

## gist:4b8e9ccca43c3eeb2acbc3dd3ace912e
vagrant@vagrant ~ $ ps ajf
 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
19286 19287 19287 19287 pts/1    19408 Ss    1000   0:00 -bash
19287 19408 19408 19287 pts/1    19408 R+    1000   0:00  \_ ps ajf
18406 18407 18407 18407 pts/0    19405 Ss    1000   0:00 -bash
18407 19405 19405 18407 pts/0    19405 S+       0   0:00  \_ sudo ./my-sleep 100
19405 19406 19405 18407 pts/0    19405 S+    1000   0:00      \_ ./my-sleep 100
    1   960   960   960 tty1       960 Ss+      0   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux

## gist:a792baa712ad25363999b8b3d2c5ed43
vagrant@vagrant ~ $ ps ajf
 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
19286 19287 19287 19287 pts/1    19399 Ss    1000   0:00 -bash
19287 19399 19399 19287 pts/1    19399 R+    1000   0:00  \_ ps ajf
18406 18407 18407 18407 pts/0    19336 Ss    1000   0:00 -bash
18407 19336 19336 18407 pts/0    19336 S+       0   0:00  \_ sudo ./my-sleep 100
19336 19337 19336 18407 pts/0    19336 S+       0   0:00      \_ ./my-sleep 100
    1   960   960   960 tty1       960 Ss+      0   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux

## gist:29690efd00214c0dc2ee5dd6061028de
vagrant@vagrant ~ $ ps -ef | grep hello
vagrant  18897 18407  0 08:50 pts/0    00:00:00 grep --color=auto hello
vagrant@vagrant ~ $ docker run -it -d ironcore864/go-hello-http
Unable to find image 'ironcore864/go-hello-http:latest' locally
latest: Pulling from ironcore864/go-hello-http
cbdbe7a5bc2a: Pull complete
73fe6db8eb7a: Pull complete
b33cd23ff126: Pull complete
Digest: sha256:8127dfa67b90029ab0d71f443287a3de6cea85f5ff2e7ad1c6988ef4d69a2839
Status: Downloaded newer image for ironcore864/go-hello-http:latest

## gist:034a01faa8ec7b2df7192afc13c60131
/**
 * This pipeline describes a multi container job, running Maven and Golang builds
 */

podTemplate(yaml: """
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: maven

## gist:f72331636c02b77232fa6dbae4031ce9
root@vagrant:/var/lib/docker# tree
.
├── builder
│   └── fscache.db
├── buildkit
│   ├── cache.db
│   ├── content
│   │   └── ingest
│   ├── executor
│   ├── metadata.db

## gist:e8f61938e776f7f2231bc0a938da4dd2
root@vagrant:/var/lib/docker# tree -L 2
.
├── builder
│   └── fscache.db
├── buildkit
│   ├── cache.db
│   ├── content
│   ├── executor
│   ├── metadata.db
│   └── snapshots.db
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: example
	spec:
	privileged: false # Don't allow privileged pods!
	# The rest fills in some required fields.
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
	eks.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
	vagrant@vagrant ~ $ ps ajf
	PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
	19286 19287 19287 19287 pts/1 19408 Ss 1000 0:00 -bash
	19287 19408 19408 19287 pts/1 19408 R+ 1000 0:00 \_ ps ajf
	18406 18407 18407 18407 pts/0 19405 Ss 1000 0:00 -bash
	18407 19405 19405 18407 pts/0 19405 S+ 0 0:00 \_ sudo ./my-sleep 100
	19405 19406 19405 18407 pts/0 19405 S+ 1000 0:00 \_ ./my-sleep 100
	1 960 960 960 tty1 960 Ss+ 0 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
	vagrant@vagrant ~ $ ps ajf
	PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
	19286 19287 19287 19287 pts/1 19399 Ss 1000 0:00 -bash
	19287 19399 19399 19287 pts/1 19399 R+ 1000 0:00 \_ ps ajf
	18406 18407 18407 18407 pts/0 19336 Ss 1000 0:00 -bash
	18407 19336 19336 18407 pts/0 19336 S+ 0 0:00 \_ sudo ./my-sleep 100
	19336 19337 19336 18407 pts/0 19336 S+ 0 0:00 \_ ./my-sleep 100
	1 960 960 960 tty1 960 Ss+ 0 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
	vagrant@vagrant ~ $ ps -ef \| grep hello
	vagrant 18897 18407 0 08:50 pts/0 00:00:00 grep --color=auto hello
	vagrant@vagrant ~ $ docker run -it -d ironcore864/go-hello-http
	Unable to find image 'ironcore864/go-hello-http:latest' locally
	latest: Pulling from ironcore864/go-hello-http
	cbdbe7a5bc2a: Pull complete
	73fe6db8eb7a: Pull complete
	b33cd23ff126: Pull complete
	Digest: sha256:8127dfa67b90029ab0d71f443287a3de6cea85f5ff2e7ad1c6988ef4d69a2839
	Status: Downloaded newer image for ironcore864/go-hello-http:latest
	/**
	* This pipeline describes a multi container job, running Maven and Golang builds
	*/

	podTemplate(yaml: """
	apiVersion: v1
	kind: Pod
	spec:
	containers:
	- name: maven
	root@vagrant:/var/lib/docker# tree
	.
	├── builder
	│ └── fscache.db
	├── buildkit
	│ ├── cache.db
	│ ├── content
	│ │ └── ingest
	│ ├── executor
	│ ├── metadata.db
	root@vagrant:/var/lib/docker# tree -L 2
	.
	├── builder
	│ └── fscache.db
	├── buildkit
	│ ├── cache.db
	│ ├── content
	│ ├── executor
	│ ├── metadata.db
	│ └── snapshots.db