Skip to content

Instantly share code, notes, and snippets.

Avatar
🐟
*

Tiexin Guo IronCore864

🐟
*
View GitHub Profile
View gist:dbfeec144607ac3ee5c3429bbe561de6
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
View gist:efd8f5f290b2a0677d791244dc7d9dfd
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
View gist:7412f70e7a2b410f7451d74655040dd0
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: eks.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
View gist:5086caf7a98cb356e288f7e3cae47047
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
eks.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
View gist:4b8e9ccca43c3eeb2acbc3dd3ace912e
vagrant@vagrant ~ $ ps ajf
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
19286 19287 19287 19287 pts/1 19408 Ss 1000 0:00 -bash
19287 19408 19408 19287 pts/1 19408 R+ 1000 0:00 \_ ps ajf
18406 18407 18407 18407 pts/0 19405 Ss 1000 0:00 -bash
18407 19405 19405 18407 pts/0 19405 S+ 0 0:00 \_ sudo ./my-sleep 100
19405 19406 19405 18407 pts/0 19405 S+ 1000 0:00 \_ ./my-sleep 100
1 960 960 960 tty1 960 Ss+ 0 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
View gist:a792baa712ad25363999b8b3d2c5ed43
vagrant@vagrant ~ $ ps ajf
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
19286 19287 19287 19287 pts/1 19399 Ss 1000 0:00 -bash
19287 19399 19399 19287 pts/1 19399 R+ 1000 0:00 \_ ps ajf
18406 18407 18407 18407 pts/0 19336 Ss 1000 0:00 -bash
18407 19336 19336 18407 pts/0 19336 S+ 0 0:00 \_ sudo ./my-sleep 100
19336 19337 19336 18407 pts/0 19336 S+ 0 0:00 \_ ./my-sleep 100
1 960 960 960 tty1 960 Ss+ 0 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
View gist:29690efd00214c0dc2ee5dd6061028de
vagrant@vagrant ~ $ ps -ef | grep hello
vagrant 18897 18407 0 08:50 pts/0 00:00:00 grep --color=auto hello
vagrant@vagrant ~ $ docker run -it -d ironcore864/go-hello-http
Unable to find image 'ironcore864/go-hello-http:latest' locally
latest: Pulling from ironcore864/go-hello-http
cbdbe7a5bc2a: Pull complete
73fe6db8eb7a: Pull complete
b33cd23ff126: Pull complete
Digest: sha256:8127dfa67b90029ab0d71f443287a3de6cea85f5ff2e7ad1c6988ef4d69a2839
Status: Downloaded newer image for ironcore864/go-hello-http:latest
View gist:034a01faa8ec7b2df7192afc13c60131
/**
* This pipeline describes a multi container job, running Maven and Golang builds
*/
podTemplate(yaml: """
apiVersion: v1
kind: Pod
spec:
containers:
- name: maven
View gist:f72331636c02b77232fa6dbae4031ce9
root@vagrant:/var/lib/docker# tree
.
├── builder
│   └── fscache.db
├── buildkit
│   ├── cache.db
│   ├── content
│   │   └── ingest
│   ├── executor
│   ├── metadata.db
View gist:e8f61938e776f7f2231bc0a938da4dd2
root@vagrant:/var/lib/docker# tree -L 2
.
├── builder
│   └── fscache.db
├── buildkit
│   ├── cache.db
│   ├── content
│   ├── executor
│   ├── metadata.db
│   └── snapshots.db