跳到主要内容
极客日志极客日志面向AI+效率的开发者社区
首页博客GitHub 精选镜像工具UI配色美学隐私政策关于联系
搜索内容 / 工具 / 仓库 / 镜像...⌘K搜索
注册
博客列表
Shell / Bash

CKS 核心命令速查指南

Kubernetes 安全专家(CKS)考试核心命令速查,涵盖集群安装与强化、系统加固、微服务漏洞最小化、供应链安全及监控日志记录。包含 kubectl 操作、etcd 管理、OPA/Gatekeeper 策略、Falco 运行时安全及审计配置等关键步骤与示例。

laoliangsh发布于 2025/1/20更新于 2026/6/220 浏览
CKS 核心命令速查指南

集群安装

kubectl run frontend --image=nginx
kubectl expose pod frontend --port 80
kubectl -n kubernetes-dashboard create rolebinding insecure --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view
kubectl run pod1 --image=nginx
kubectl run pod2 --image=httpd
kubectl expose pod pod1 --port 80 --name service1
kubectl expose pod pod2 --port 80 --name service2
curl https://192.168.211.40:32300/service1 -kv
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
kubectl create secret tls secure-ingress --cert=cert.pem --key=key.pem
curl https://secure-ingress.com:32300/service2 -kv --resolve secure-ingress.com:32300:192.168.211.41
kubectl label pod nginx role=metadata-accessor
#根据 CIS 标准检查
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest master --version 1.20
#确认版本是否一致
sha512sum kubernetes-server-linux-arm64.tar.gz
tar zxf kubernetes-server-linux-arm64.tar.gz
ls kubernetes/server/bin/kube-apiserver
sha512sum kubernetes/server/bin/kube-apiserver
docker ps | grep apiserver
docker cp 0fb5321dfd57:/ container-fs
ls container-fs/
find container-fs/ | grep kube-apiserver
sha512sum container-fs/usr/local/bin/kube-apiserver

集群强化

curl https://localhost:6443
curl https://localhost:6443 -k
vim /etc/kubernetes/manifests/kube-apiserver.yaml
# --anonymous-auth=true
# --insecure-port=8080
# --enable-admission-plugins=NodeRestriction
curl https://192.168.211.40:6443 --cacert ca --cert ca.crt --key ca.key
kubectl edit svc
curl https://192.168.211.40:30300 -l
kubectl config view --raw > config
kubectl --kubeconfig config get ns
kubectl label node master cks/test=yes
kubectl create sa accessor
kubectl get sa,secrets
kubectl describe secret accessor-token-bnd4s
kubectl run accessor --image=nginx --dry-run=client -oyaml
# serviceAccountName: accessor #添加此行
kubectl exec -ti accessor -- bash
mount | grep sec
cd /run/secrets/kubernetes.io/serviceaccount
cat token
curl https://kubernetes
curl https://kubernetes -k
curl https://kubernetes -k -H "Authorization: Bearer eyJ..."

kubectl replace --force -f accessor.yaml
kubectl auth can-i delete secrets --as system:serviceaccount:default:accessor
kubectl create clusterrolebinding accessor --clusterrole edit --serviceaccount default:accessor
kubectl auth can-i delete secrets --as system:serviceaccount:default:accessor
kubectl create ns red
kubectl create ns blue
kubectl -n red create role secret-manager --verb=get --resource secrets -oyaml --dry-run=client
kubectl -n red create rolebinding secret-manager --role secret-manager --user jane
kubectl -n blue create role secret-manager --verb=get --verb=list --resource secrets
kubectl -n blue create rolebinding secret-manager --role secret-manager --user jane
kubectl -n red auth can-i get secrets --as jane
openssl genrsa -out jane.key 2048
 jane.csr |  -w 0
kubectl certificate approve jane
kubectl config view -o yaml > view.yaml
kubectl config set-credentials jane --client-key=jane.key --client-certificate=jane.crt
kubectl config set-credentials jane --client-key=jane.key --client-certificate=jane.crt --embed-certs
kubectl config view --raw
kubectl config set-context jane --user=jane --cluster=kubernetes
kubectl config get-contexts
kubectl drain master --ignore-daemonsets
apt-cache show kubeadm | grep -e 
apt-get install kubeadm=1.20.2-00 kubectl=1.20.2-00 kubelet=1.20.2-00
kubeadm upgrade plan
kubeadm upgrade apply v1.20.6
kubectl uncordon master
kubectl get node
# automountServiceAccountToken: false #添加此行
cat
base64
'1.20'

系统强化

netstat -natlp
ps aux
lsof -i :22
apt-get install snapd
systemctl start snapd
systemctl status snapd
systemctl list-units --type=service --state=running | grep snap
apt-get install -y vsftpd samba
systemctl status vsftpd
systemctl status smbd
ps aux | grep smbd
whoami
kubectl run pod --image=busybox --command -oyaml --dry-run=client > pod.yaml -- sh -c 'sleep 1d'
vim pod.yaml
# spec:
#   securityContext:
#     runAsUser: 1000
#     runAsGroup: 3000
#   containers:
#   - command: [sh, -c, sleep 1d]
#     image: busybox
#     name: pod
#     resources: {}
#     securityContext:
#       runAsNonRoot: true
#       privileged: true
#       allowPrivilegeEscalation: true
sysctl kernel.hostname=attacker
kubectl -f pod.yaml delete --force --grace-period=0
vim /etc/kubernetes/manifests/kube-apiserver.yaml
# ---
# - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
kubectl create role psp-access --verb use --resource podsecuritypolicies
kubectl create rolebinding psp-access --role psp-access --serviceaccount default:default
apt-get install apparmor-utils
aa-genprof curl
cd /etc/apparmor.d/
aa-logprof
cat usr.bin.curl
curl killer.sh -v
kubectl run secure --image=nginx -oyaml --dry-run=client > pod.yaml
# cat pod.yaml
# apiVersion: v1
# kind: Pod
# metadata:
#   annotations:
#     container.apparmor.security.beta.kubernetes.io/secure: localhost/hello
kubectl get pods secure
# NAME READY STATUS RESTARTS AGE
# secure 0/1 Blocked 0 2s
# cat pod.yaml
# apiVersion: v1
# kind: Pod
# metadata:
#   annotations:
#     container.apparmor.security.beta.kubernetes.io/secure: localhost/docker-nginx
# cat pod2.yaml
# apiVersion: v1
# kind: Pod
# metadata:
#   labels:
#     run: secure
#   name: secure
# spec:
#   securityContext:
#     seccompProfile:
#       type: Localhost
#       localhostProfile: profiles/audit.json
kubectl get pods -w
# NAME READY STATUS RESTARTS AGE
# accessor 1/1 Running 0 26h
# secure 0/1 CreateContainerError 0 23s
# cat pod2.yaml
# apiVersion: v1
# kind: Pod
# metadata:
#   labels:
#     run: secure
#   name: secure
# spec:
#   securityContext:
#     seccompProfile:
#       type: Localhost
#       localhostProfile: default.json

微服务漏洞最小化

vim template.yaml
# apiVersion: templates.gatekeeper.sh/v1beta1
# kind: ConstraintTemplate
# metadata:
#   name: k8salwaysdeny
# spec:
#   crd:
#     spec:
#       names:
#         kind: K8sAlwaysDeny
#   validation:
#     openAPIV3Schema:
#       properties:
#         message:
#           type: string
#   targets:
#   - target: admission.k8s.gatekeeper.sh
#     rego: |
#       package k8salwaysdeny
#       violation[{"msg": msg}] {
#         1 > 0
#         msg := input.parameters.message
#       }
vim constraint.yaml
# apiVersion: constraints.gatekeeper.sh/v1beta1
# kind: K8sAlwaysDeny
# metadata:
#   name: pod-always-deny
# spec:
#   match:
#     kinds:
#     - apiGroups: [""]
#       kinds: ["Pod"]
#   parameters:
#     message: "ACCESS DENIED!"
vim template_label.yaml
# apiVersion: templates.gatekeeper.sh/v1beta1
# kind: ConstraintTemplate
# metadata:
#   name: k8srequiredlabels
# spec:
#   crd:
#     spec:
#       names:
#         kind: K8sRequiredLabels
#   validation:
#     openAPIV3Schema:
#       properties:
#         labels:
#           type: array
#           items: string
#   targets:
#   - target: admission.k8s.gatekeeper.sh
#     rego: |
#       package k8srequiredlabels
#       violation[{"msg": msg, "details": {"missing_labels": missing}}] {
#         provided := {label | input.review.object.metadata.labels[label]}
#         required := {label | label := input.parameters.labels[_]}
#         missing := required - provided
#         count(missing) > 0
#         msg := sprintf("you must provide labels: %v", [missing])
#       }
vim all_ns_must_have_cks.yaml
# apiVersion: constraints.gatekeeper.sh/v1beta1
# kind: K8sRequiredLabels
# metadata:
#   name: ns-must-have-cks
# spec:
#   match:
#     kinds:
#     - apiGroups: [""]
#       kinds: ["Namespace"]
#   parameters:
#     labels: ["cks"]
kubectl create secret generic secret1 --from-literal user=admin
kubectl create secret generic secret2 --from-literal pass=12345678
# env:
# - name: PASSWORD
#   valueFrom:
#     secretKeyRef:
#       name: secret2
#       key: pass
# volumeMounts:
# - name: secret1
#   mountPath: "/etc/secret1"
#   readOnly: true
# volumes:
# - name: secret1
#   secret:
#     secretName: secret1
kubectl exec pod -- env | grep PASS
kubectl exec pod -- mount | grep secret1
kubectl exec pod -- ls /etc/secret1
kubectl exec pod -- cat /etc/secret1/user
ETCDCTL_API=3 etcdctl --endpoints https://192.168.211.40:2379 --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt endpoint health
ETCDCTL_API=3 etcdctl --endpoints https://192.168.211.40:2379 --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/secret1
cd /etc/kubernetes/etcd
echo -n password | base64
echo -n passwordpassword | base64
vim ec.yaml
# apiVersion: apiserver.config.k8s.io/v1
# kind: EncryptionConfiguration
# resources:
# - resources:
#   - secrets
#   providers:
#   - aescbc:
#       keys:
#       - name: key1
#         secret: cGFzc3dvcmQ=
#   - identity: {}
# vim kube-apiserver.yaml
# ... - kube-apiserver
# - --encryption-provider-config=/etc/kubernetes/etcd/ec.yaml
# - mountPath: /etc/kubernetes/etcd
# - name: etcd
# - readOnly: true
# - hostPath:
# - path: /etc/kubernetes/etcd
# - type: DirectoryOrCreate
# - name: etcd
cd /var/log/pods/
tail -f kube-system_kube-api .......
ETCDCTL_API=3 etcdctl --endpoints https://192.168.211.40:2379 --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/default-token-2xr8c
kubectl create secret generic very-secure --from-literal cc=1234
ETCDCTL_API=3 etcdctl --endpoints https://192.168.211.40:2379 --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key --cacert /etc/kubernetes/pki/etcd/ca.crt get /registry/secrets/default/very-secure
echo MTIzNA== | base64 -d
docker ps
crictl ps
crictl pods
kubectl run app --image=bash --command -oyaml --dry-run=client > app.yaml -- sh -c 'ping baidu.com'
# cat app.yaml
# apiVersion: v1
# kind: Pod
# metadata:
#   creationTimestamp: null
#   labels:
#     run: app
#   name: app
# spec:
#   containers:
#   - command: [sh, -c, sleep 1d]
#     image: busybox
#     name: pod
#     resources: {}
#   - name: proxy
#     image: ubuntu
#     command: [sh, -c, apt-get update && apt-get install iptables -y && iptables -L && sleep 1d]
#     securityContext:
#       capabilities:
#         add: ["NET_ADMIN"]
#     dnsPolicy: ClusterFirst
#     restartPolicy: Always
#   status: {}

供应链安全

# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go
# app container stage 2
FROM alpine:3.12.0
RUN chmod a-w /etc
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]
docker build --network=host -t app .
kubectl get pods -A -oyaml | grep image: | grep -v f: | grep api
kubectl get pod -n kube-system kube-apiserver-master -oyaml | grep image
vim /etc/kubernetes/manifests/kube-apiserver.yaml
mkdir /etc/kubernetes/admission
cat /etc/kubernetes/manifests/kube-apiserver.yaml
# - kube-apiserver
# - --admission-control-config-file=/etc/kubernetes/admission/admission_config.yaml
root@master:~# cat /etc/kubernetes/admission/admission_config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
configuration:
  imagePolicy:
    kubeConfigFile: /etc/kubernetes/admission/kubeconf
    allowTTL: 50
    denyTTL: 50
    retryBackoff: 500
    defaultAllow: true
root@node1:~/cks/static-analysis/conftest/kubernetes# ls deploy.yaml policy run.sh
root@node1:~/cks/static-analysis/conftest/kubernetes# cat deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: test
  name: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: test
    spec:
      containers:
      - image: httpd
        name: httpd
        resources: {}
      status: {}
root@node1:~/cks/static-analysis/conftest/kubernetes# cat policy/deployment.rego
package main
deny[msg] {
  input.kind = "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot = true
  msg = "Containers must not run as root"
}
deny[msg] {
  input.kind = "Deployment"
  not input.spec.selector.matchLabels.app
  msg = "Containers must provide app label for pod selectors"
}
root@node1:~/cks/static-analysis/conftest/kubernetes# cat run.sh
docker run --rm -v $(pwd):/project openpolicyagent/conftest test deploy.yaml
docker run ghcr.io/aquasecurity/trivy:latest image nginx:latest
docker run --net=host ghcr.io/aquasecurity/trivy:latest image nginx:latest
docker run --net=host ghcr.io/aquasecurity/trivy:latest image nginx:latest | grep CRITICAL
docker run --net=host ghcr.io/aquasecurity/trivy:latest image nginx:1.16-alpine

监控、日志记录和运行时安全

strace ls
strace -cw ls /
echo hello > test
cat test
strace cat test
docker ps | grep etcd
ps -ef | grep etcd
strace -p 118382 -f
strace -p 118382 -f -cw ls
ls /proc/118382/
ls -l /proc/118382/exe
ls /proc/118382/fd
ls -l /proc/118382/fd
tail 7
kubectl create secret generic credit-card --from-literal cc=111222333444
cat 7 | strings | grep 111222333444
cat 7 | strings | grep 111222333444 -A 10 -B 10
kubectl run apache --image=httpd -oyaml --dry-run=client > pod.yaml
root@master:~/cks/runtime-security# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: apache
  name: apache
spec:
  containers:
  - image: httpd
    name: apache
    resources: {}
    env:
    - name: SECRET
      value: "5555666677778888"
kubectl get pods -owide | grep apache
ps aux | grep httpd
pstree -p
cd /proc/123888
cat environ
tail /var/log/syslog | grep falco
root@node2:~# cd /etc/falco/
root@node2:/etc/falco# ls
falco_rules.local.yaml falco_rules.yaml falco.yaml k8s_audit_rules.yaml rules.available rules.d
root@node2:/etc/falco# grep -r "A shell was spawned in a container with an attached terminal" *
falco_rules.yaml: A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
# 更新配置
root@node2:/etc/falco# cat falco_rules.local.yaml
rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
  spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint and not user_expected_terminal_shell_in_container_conditions
output: >
  %evt.time,%user.name,%container.name,%container.id shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
root@master:~/cks/runtime-security# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: immutable
  name: immutable
spec:
  containers:
  - image: httpd
    name: immutable
    resources: {}
    startupProbe:
      exec:
        command: [rm, /bin/bash]
      initialDelaySeconds: 1
      periodSeconds: 5
    dnsPolicy: ClusterFirst
    restartPolicy: Always
    status: {}
root@master:~/cks/runtime-security# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: immutable
  name: immutable
spec:
  containers:
  - image: httpd
    name: immutable
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
    volumeMounts:
    - mountPath: /usr/local/apache2/logs
      name: cache-volume
    volumes:
    - name: cache-volume
      emptyDir: {}
    dnsPolicy: ClusterFirst
    restartPolicy: Always
    status: {}
mkdir /etc/kubernetes/auditing
mkdir /etc/kubernetes/audit/logs
cat /etc/kubernetes/audit/policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
root@master:/etc/kubernetes/manifests# cat kube-apiserver.yaml
.........
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/audit/policy.yaml
- --audit-log-path=/etc/kubernetes/audit/logs/audit.log
- --audit-log-maxsize=500
- mountPath: /etc/kubernetes/audit
- name: audit
volumes:
- hostPath:
  - path: /etc/kubernetes/audit
  - type: DirectoryOrCreate
  - name: audit
- hostPath:
tail /etc/kubernetes/audit/logs/audit.log
kubectl create secret generic very-secure --from-literal=user=admin
cat /etc/kubernetes/audit/logs/audit.log | grep very-secure | jq .
root@master:/etc/kubernetes/audit# cat policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- "RequestReceived"
rules:
- level: Metadata
- level: None
  verbs: ["get","list","watch"]
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets"]
- level: RequestResponse
mv /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/
ps aux | grep api
mv /etc/kubernetes/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml
ps aux | grep api
tail /etc/kubernetes/audit/logs/audit.log | jq .
kubectl create sa very-crazy-sa
kubectl get secret
cat /etc/kubernetes/audit/logs/audit.log | grep very-crazy-sa
kubectl run accessor --image=nginx --dry-run=client -oyaml > pod.yaml
root@master:~/cks/runtime-security# vim pod3.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: accessor
  name: accessor
spec:
  serviceAccountName: very-crazy-sa
  containers:
  - image: nginx
    name: accessor
    resources: {}
    dnsPolicy: ClusterFirst
    restartPolicy: Always
    status: {}
kubectl get pod accessor -w
cat /etc/kubernetes/audit/logs/audit.log | grep accessor

目录

  1. 集群安装
  2. 集群强化
  3. --anonymous-auth=true
  4. --insecure-port=8080
  5. --enable-admission-plugins=NodeRestriction
  6. serviceAccountName: accessor #添加此行
  7. automountServiceAccountToken: false #添加此行
  8. 系统强化
  9. spec:
  10. securityContext:
  11. runAsUser: 1000
  12. runAsGroup: 3000
  13. containers:
  14. - command: [sh, -c, sleep 1d]
  15. image: busybox
  16. name: pod
  17. resources: {}
  18. securityContext:
  19. runAsNonRoot: true
  20. privileged: true
  21. allowPrivilegeEscalation: true
  22. ---
  23. - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
  24. cat pod.yaml
  25. apiVersion: v1
  26. kind: Pod
  27. metadata:
  28. annotations:
  29. container.apparmor.security.beta.kubernetes.io/secure: localhost/hello
  30. NAME READY STATUS RESTARTS AGE
  31. secure 0/1 Blocked 0 2s
  32. cat pod.yaml
  33. apiVersion: v1
  34. kind: Pod
  35. metadata:
  36. annotations:
  37. container.apparmor.security.beta.kubernetes.io/secure: localhost/docker-nginx
  38. cat pod2.yaml
  39. apiVersion: v1
  40. kind: Pod
  41. metadata:
  42. labels:
  43. run: secure
  44. name: secure
  45. spec:
  46. securityContext:
  47. seccompProfile:
  48. type: Localhost
  49. localhostProfile: profiles/audit.json
  50. NAME READY STATUS RESTARTS AGE
  51. accessor 1/1 Running 0 26h
  52. secure 0/1 CreateContainerError 0 23s
  53. cat pod2.yaml
  54. apiVersion: v1
  55. kind: Pod
  56. metadata:
  57. labels:
  58. run: secure
  59. name: secure
  60. spec:
  61. securityContext:
  62. seccompProfile:
  63. type: Localhost
  64. localhostProfile: default.json
  65. 微服务漏洞最小化
  66. apiVersion: templates.gatekeeper.sh/v1beta1
  67. kind: ConstraintTemplate
  68. metadata:
  69. name: k8salwaysdeny
  70. spec:
  71. crd:
  72. spec:
  73. names:
  74. kind: K8sAlwaysDeny
  75. validation:
  76. openAPIV3Schema:
  77. properties:
  78. message:
  79. type: string
  80. targets:
  81. - target: admission.k8s.gatekeeper.sh
  82. rego: |
  83. package k8salwaysdeny
  84. violation[{"msg": msg}] {
  85. 1 > 0
  86. msg := input.parameters.message
  87. }
  88. apiVersion: constraints.gatekeeper.sh/v1beta1
  89. kind: K8sAlwaysDeny
  90. metadata:
  91. name: pod-always-deny
  92. spec:
  93. match:
  94. kinds:
  95. - apiGroups: [""]
  96. kinds: ["Pod"]
  97. parameters:
  98. message: "ACCESS DENIED!"
  99. apiVersion: templates.gatekeeper.sh/v1beta1
  100. kind: ConstraintTemplate
  101. metadata:
  102. name: k8srequiredlabels
  103. spec:
  104. crd:
  105. spec:
  106. names:
  107. kind: K8sRequiredLabels
  108. validation:
  109. openAPIV3Schema:
  110. properties:
  111. labels:
  112. type: array
  113. items: string
  114. targets:
  115. - target: admission.k8s.gatekeeper.sh
  116. rego: |
  117. package k8srequiredlabels
  118. violation[{"msg": msg, "details": {"missing_labels": missing}}] {
  119. provided := {label | input.review.object.metadata.labels[label]}
  120. required := {label | label := input.parameters.labels[_]}
  121. missing := required - provided
  122. count(missing) > 0
  123. msg := sprintf("you must provide labels: %v", [missing])
  124. }
  125. apiVersion: constraints.gatekeeper.sh/v1beta1
  126. kind: K8sRequiredLabels
  127. metadata:
  128. name: ns-must-have-cks
  129. spec:
  130. match:
  131. kinds:
  132. - apiGroups: [""]
  133. kinds: ["Namespace"]
  134. parameters:
  135. labels: ["cks"]
  136. env:
  137. - name: PASSWORD
  138. valueFrom:
  139. secretKeyRef:
  140. name: secret2
  141. key: pass
  142. volumeMounts:
  143. - name: secret1
  144. mountPath: "/etc/secret1"
  145. readOnly: true
  146. volumes:
  147. - name: secret1
  148. secret:
  149. secretName: secret1
  150. apiVersion: apiserver.config.k8s.io/v1
  151. kind: EncryptionConfiguration
  152. resources:
  153. - resources:
  154. - secrets
  155. providers:
  156. - aescbc:
  157. keys:
  158. - name: key1
  159. secret: cGFzc3dvcmQ=
  160. - identity: {}
  161. vim kube-apiserver.yaml
  162. ... - kube-apiserver
  163. - --encryption-provider-config=/etc/kubernetes/etcd/ec.yaml
  164. - mountPath: /etc/kubernetes/etcd
  165. - name: etcd
  166. - readOnly: true
  167. - hostPath:
  168. - path: /etc/kubernetes/etcd
  169. - type: DirectoryOrCreate
  170. - name: etcd
  171. cat app.yaml
  172. apiVersion: v1
  173. kind: Pod
  174. metadata:
  175. creationTimestamp: null
  176. labels:
  177. run: app
  178. name: app
  179. spec:
  180. containers:
  181. - command: [sh, -c, sleep 1d]
  182. image: busybox
  183. name: pod
  184. resources: {}
  185. - name: proxy
  186. image: ubuntu
  187. command: [sh, -c, apt-get update && apt-get install iptables -y && iptables -L && sleep 1d]
  188. securityContext:
  189. capabilities:
  190. add: ["NET_ADMIN"]
  191. dnsPolicy: ClusterFirst
  192. restartPolicy: Always
  193. status: {}
  194. 供应链安全
  195. build container stage 1
  196. app container stage 2
  197. - kube-apiserver
  198. - --admission-control-config-file=/etc/kubernetes/admission/admission_config.yaml
  199. 监控、日志记录和运行时安全
  200. 更新配置
  • 💰 8折买阿里云服务器限时8折了解详情
  • Magick API 一键接入全球大模型注册送1000万token查看
  • 🤖 一键搭建Deepseek满血版了解详情
  • 一键打造专属AI 智能体了解详情
极客日志微信公众号二维码

微信扫一扫,关注极客日志

微信公众号「极客日志V2」,在微信中扫描左侧二维码关注。展示文案:极客日志V2 zeeklog

更多推荐文章

查看全部
  • VRCT 使用指南:突破 VRChat 语言壁垒的智能翻译工具
  • Radiomaster Pocket 遥控器资料及 Liftoff 模拟器使用指南
  • 前端纯 JS 实现 PDF 图片提取工具
  • Ubuntu 24.04 本地部署 Open WebUI 与 Ollama
  • 贪心算法实战:三道经典 LeetCode 题解
  • Whisper 模型国内镜像源汇总及各版本快速获取方法
  • Python+AI 学习方向拆解:3 个高性价比赛道与路线
  • Stable Diffusion v1.5 创意设计师指南:嵌入 Figma/PS 工作流
  • MCP 协议详解:与 Function Call 的区别及使用方式
  • 新机型 Copilot 键替代右 Ctrl 键的解决方案
  • 二分查找进阶:查找目标值边界
  • Stable Diffusion 结合 YOLO 实现 AI 监控原型搭建
  • Python 爬虫实战:爬取国产电视剧信息并构建评分数据集
  • MIT 电机模式控制原理、参数及调试指南
  • 知网 AIGC 检测价格对比与省钱策略
  • SQL Server 配置管理器无法打开的解决方法
  • FPGA 实现 CIC 抽取滤波器
  • Python 安装 Pandas 踩坑指南:环境配置与版本兼容
  • MCP Document Reader:支持多格式文档读取的 AI 助手工具
  • MCP Document Reader:AI 助手本地文档解析工具

    • 相关免费在线工具

    • Base64 字符串编码/解码

      将字符串编码和解码为其 Base64 格式表示形式即可。 在线工具,Base64 字符串编码/解码在线工具,online

    • Base64 文件转换器

      将字符串、文件或图像转换为其 Base64 表示形式。 在线工具,Base64 文件转换器在线工具,online

    • Markdown转HTML

      将 Markdown(GFM)转为 HTML 片段,浏览器内 marked 解析;与 HTML转Markdown 互为补充。 在线工具,Markdown转HTML在线工具,online

    • HTML转Markdown

      将 HTML 片段转为 GitHub Flavored Markdown,支持标题、列表、链接、代码块与表格等;浏览器内处理,可链接预填。 在线工具,HTML转Markdown在线工具,online

    • JSON 压缩

      通过删除不必要的空白来缩小和压缩JSON。 在线工具,JSON 压缩在线工具,online

    • JSON美化和格式化

      将JSON字符串修饰为友好的可读格式。 在线工具,JSON美化和格式化在线工具,online