参考地址
配置最佳实践 https://kubernetes.io/zh-cn/docs/concepts/configuration/overview/
一、TASK
Solve this question on: ssh cks8930
The Release Engineering Team has shared some YAML manifests and Dockerfiles with you to review. The files are located under /opt/course/22/files.
As a container security expert, you are asked to perform a manual static analysis and find out possible security issues with respect to unwanted credential exposure. Running processes as root is of no concern in this task.
Write the filenames which have issues into /opt/course/22/security-issues on cks8930.
中译
在以下位置解决此问题:ssh cks8930
发布工程团队已与您共享了一些 YAML 清单和 Dockerfile 供您查看。这些文件位于。/opt/course/22/files 下
1、作为容器安全专家,您需要执行手动静态分析,并找出与不需要的凭证泄露有关的可能安全问题。在此任务中,以 root 身份运行进程无关紧要。
将有问题的文件名写入cks8930节点的 /opt/course/22/security-issues上
二、问题解决过程
1.问题一解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks8930
#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks8930:~$ sudo -i
#检查位置 /opt/course/22/files并列出文件
root@cks8930:~# ls -la /opt/course/22/files
-rw-r--r-- 1 candidate candidate 384 Sep 8 14:05 Dockerfile-go
-rw-r--r-- 1 candidate candidate 441 Sep 8 14:05 Dockerfile-mysql
-rw-r--r-- 1 candidate candidate 390 Sep 8 14:05 Dockerfile-py
-rw-r--r-- 1 candidate candidate 341 Sep 8 14:05 deployment-nginx.yaml
-rw-r--r-- 1 candidate candidate 723 Sep 8 14:05 deployment-redis.yaml
-rw-r--r-- 1 candidate candidate 529 Sep 8 14:05 pod-nginx.yaml
-rw-r--r-- 1 candidate candidate 228 Sep 8 14:05 pv-manual.yaml
-rw-r--r-- 1 candidate candidate 188 Sep 8 14:05 pvc-manual.yaml
-rw-r--r-- 1 candidate candidate 211 Sep 8 14:05 sc-local.yaml
-rw-r--r-- 1 candidate candidate 902 Sep 8 14:05 statefulset-nginx.yaml
#不符合安全的文件
root@cks8930:~#@cks8930:~# cat /opt/course/22/security-issues
Dockerfile-mysql ----->secret-token会在镜像分层中存在
deployment-redis.yaml ----->pod运行后会打印出账密信息
statefulset-nginx.yaml ----->密码暴露在yaml文件中
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
