容器中的上下文限制,在pod仍然适用
apiVersion: extensions/v1beta1kind: PodSecurityPolicymetadata: name: default namespace: defaultspec: hostIPC: false hostPID: false hostNetwork: false hostPorts: - min: 10000 max: 11000 - min: 13000 max: 14000 privileged: true readOnlyRootFilesystem: false runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny supplementalGroups: rule: RunAsAny seLinux: rule: RunAsAny volumes: - '*'apiVersion: extensions/v1beta1kind: PodSecurityPolicymetadata: name: privileged namespace: defaultspec: hostIPC: false hostPID: false hostNetwork: false hostPorts: - min: 10000 max: 11000 - min: 13000 max: 14000 privileged: true readOnlyRootFilesystem: false runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny supplementalGroups: rule: RunAsAny seLinux: rule: RunAsAny volumes: - '*'kubectl create clusterrole psp-default --verb=use --resources=podsecuritypolicy --resource-name=defaultkubectl create clusterrole psp-privileged --verb=use --resources=podsecuritypolicy --resource-name=privilegedkubectl create clusterrolebinding --clusterrole=psp-default --Groups=system:authenticatedkubectl create clusterrolebinding --clusterrole=psp-privileged --user=adminkubectl create -f centos_1.yaml Error from server (Forbidden): error when creating "centos_1.yaml": pods "centos5" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
