网站获取qq号码 代码,网站建设公司南昌,网站的网络推广方案,天津做网页设计的公司K8S源码剖析#xff08;Capabilities#xff09;
我们可以在pod、container中通过设置securityContext来限制container对宿节点的权限
但是有的时候我们需要给予container部分系统特权#xff0c;那就需要额外配置capability#xff0c;比如这样#xff1a;
containers…K8S源码剖析Capabilities
我们可以在pod、container中通过设置securityContext来限制container对宿节点的权限
但是有的时候我们需要给予container部分系统特权那就需要额外配置capability比如这样
containers:
- name: sec-ctx-4image: gcr.io/google-samples/node-hello:1.0securityContext:capabilities:add: [NET_ADMIN, SYS_TIME]那实现原理
初始化一个capability对象这里注意是sync.once保证分布式场景下只会创建一个因为其在linux下是固定的列表对于需要添加Privilege的container给予获取
// Capabilities defines the set of capabilities available within the system.
// For now these are global. Eventually they may be per-user
type Capabilities struct {AllowPrivileged bool// Pod sources from which to allow privileged capabilities like host networking, sharing the host// IPC namespace, and sharing the host PID namespace.PrivilegedSources PrivilegedSources// PerConnectionBandwidthLimitBytesPerSec limits the throughput of each connection (currently only used for proxy, exec, attach)PerConnectionBandwidthLimitBytesPerSec int64
}var capInstance struct {once sync.Oncelock sync.Mutexcapabilities *Capabilities
}// Initialize the capability set. This can only be done once per binary, subsequent calls are ignored.
func Initialize(c Capabilities) {// Only do this oncecapInstance.once.Do(func() {capInstance.capabilities c})
}// Setup the capability set. It wraps Initialize for improving usability.
func Setup(allowPrivileged bool, perConnectionBytesPerSec int64) {Initialize(Capabilities{AllowPrivileged: allowPrivileged,PerConnectionBandwidthLimitBytesPerSec: perConnectionBytesPerSec,})
}// Get returns a read-only copy of the system capabilities.
func Get() Capabilities {capInstance.lock.Lock()defer capInstance.lock.Unlock()// This check prevents clobbering of capabilities that mightve been set via SetForTestsif capInstance.capabilities nil {Initialize(Capabilities{AllowPrivileged: false,PrivilegedSources: PrivilegedSources{HostNetworkSources: []string{},HostPIDSources: []string{},HostIPCSources: []string{},},})}return *capInstance.capabilities
}
