k8s/StudyNotes/ Security Docker
- Docker uses Namespace on linux does isolation, process still visible on host.
- /usr/include/linux/capability.h
- can limit capability's.
- /usr/include/linux/capability.h
On Docker can add capabilities
docker run --cap-add MAC_ADMIN or --cap-drop or --privileged
- In k8s, can set security on Pod or Container level.
Set under spec: for POD level, or move under containers:
securityContext: runAsUser: 1000 capabilities: add: ["MAC_ADMIN"]