From b369a8ce7d17eecdeaf8971043d386e84adb8fa2 Mon Sep 17 00:00:00 2001
From: "huanqing.shao" <shaohq@foxmail.com>
Date: Fri, 4 Oct 2019 08:03:35 +0800
Subject: [PATCH] securityContext

---
 .vuepress/config.js                           | 13 ++++++-
 learning/README.md                            | 11 ++++--
 .../config/sec-ctx/con-cap.md                 | 12 ++++++
 .../config/sec-ctx/con-sel.md                 | 12 ++++++
 .../k8s-intermediate/config/sec-ctx/con.md    | 12 ++++++
 .../k8s-intermediate/config/sec-ctx/index.md  | 38 +++++++++++++++++++
 .../k8s-intermediate/config/sec-ctx/pod.md    | 12 ++++++
 7 files changed, 105 insertions(+), 5 deletions(-)
 create mode 100644 learning/k8s-intermediate/config/sec-ctx/con-cap.md
 create mode 100644 learning/k8s-intermediate/config/sec-ctx/con-sel.md
 create mode 100644 learning/k8s-intermediate/config/sec-ctx/con.md
 create mode 100644 learning/k8s-intermediate/config/sec-ctx/index.md
 create mode 100644 learning/k8s-intermediate/config/sec-ctx/pod.md

diff --git a/.vuepress/config.js b/.vuepress/config.js
index 0ff0e95..f37a3ff 100644
--- a/.vuepress/config.js
+++ b/.vuepress/config.js
@@ -316,7 +316,18 @@ module.exports = {
                     // 'k8s-intermediate/config/secrets/use-cases',
                     // 'k8s-intermediate/config/secrets/best-practices',
                   ]
-                }
+                },
+                {
+                  title: 'Security Context',
+                  collapsable: true,
+                  children: [
+                    'k8s-intermediate/config/sec-ctx/',
+                    // 'k8s-intermediate/config/sec-ctx/pod',
+                    // 'k8s-intermediate/config/sec-ctx/con',
+                    // 'k8s-intermediate/config/sec-ctx/con-cap',
+                    // 'k8s-intermediate/config/sec-ctx/con-sel',
+                  ]
+                },
               ]
             }
           ]
diff --git a/learning/README.md b/learning/README.md
index cdd3c1c..68a872a 100644
--- a/learning/README.md
+++ b/learning/README.md
@@ -14,9 +14,11 @@ meta:
 * Kubernetes 初学者
 * 学习过 Kubernetes，但在投产过程中仍有诸多疑虑和困惑的技术爱好者
 
-<p style="max-width: 450px; margin: auto;">
-  <img src="/images/logo-main.png" style="background-color: #0063dc; max-width: 100%;" alt="Kubernetes管理界面：Kuboard Logo"/>
-</p>
+<div style="background-color: #0063dc;">
+  <div style="max-width: 363px; margin: auto;">
+    <img src="/images/logo-main.png" style="background-color: #0063dc; max-width: 100%;" alt="Kubernetes管理界面：Kuboard Logo"/>
+  </div>
+</div>
 
 ## **Kubernetes 体验**
   * [安装 Kubernetes 单Master节点](/install/install-k8s.html) （30分钟，初学者也许需要更多）
@@ -61,13 +63,14 @@ meta:
     * [数据卷 Volume](/learning/k8s-intermediate/persistent/volume.html)
     * [存储卷 PV 和存储卷声明 PVC](/learning/k8s-intermediate/persistent/pv.html)
     * [存储类 StorageClass](/learning/k8s-intermediate/persistent/storage-class.html)
-    * [自建 NFS 服务](/learning/k8s-intermediate/persistent/nfs.html) <Badge text="正在撰写" type="warn"/>
+    * [自建 NFS 服务](/learning/k8s-intermediate/persistent/nfs.html)
   * 配置
     * [使用 ConfigMap 配置您的应用程序](/learning/k8s-intermediate/config/config-map.html)
     * [管理容器的计算资源](/learning/k8s-intermediate/config/computing-resource.html)
     * [将容器调度到指定的节点](/learning/k8s-intermediate/config/assign-pod-node.html)
     * [污点和容忍 taints and toleration](/learning/k8s-intermediate/config/taints-toleration/)
     * [Secrets](/learning/k8s-intermediate/config/secrets/)
+    * [Security Context](/learning/k8s-intermediate/config/sec-ctx/)
 
 ## **Kubernetes 高级**
 
diff --git a/learning/k8s-intermediate/config/sec-ctx/con-cap.md b/learning/k8s-intermediate/config/sec-ctx/con-cap.md
new file mode 100644
index 0000000..065ff34
--- /dev/null
+++ b/learning/k8s-intermediate/config/sec-ctx/con-cap.md
@@ -0,0 +1,12 @@
+---
+# vssueId: 64
+layout: LearningLayout
+description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文
+meta:
+  - name: keywords
+    content: Kubernetes教程,K8S教程,Security Context,SecurityContext
+---
+
+# 为容器设置Linux Capabilities
+
+正在撰写...
diff --git a/learning/k8s-intermediate/config/sec-ctx/con-sel.md b/learning/k8s-intermediate/config/sec-ctx/con-sel.md
new file mode 100644
index 0000000..d6ebe88
--- /dev/null
+++ b/learning/k8s-intermediate/config/sec-ctx/con-sel.md
@@ -0,0 +1,12 @@
+---
+# vssueId: 64
+layout: LearningLayout
+description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文
+meta:
+  - name: keywords
+    content: Kubernetes教程,K8S教程,Security Context,SecurityContext
+---
+
+# 为容器设置SELinux标签
+
+正在撰写...
diff --git a/learning/k8s-intermediate/config/sec-ctx/con.md b/learning/k8s-intermediate/config/sec-ctx/con.md
new file mode 100644
index 0000000..5cc3ecc
--- /dev/null
+++ b/learning/k8s-intermediate/config/sec-ctx/con.md
@@ -0,0 +1,12 @@
+---
+# vssueId: 64
+layout: LearningLayout
+description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文
+meta:
+  - name: keywords
+    content: Kubernetes教程,K8S教程,Security Context,SecurityContext
+---
+
+# 为容器设置Security Context
+
+正在撰写...
diff --git a/learning/k8s-intermediate/config/sec-ctx/index.md b/learning/k8s-intermediate/config/sec-ctx/index.md
new file mode 100644
index 0000000..c73891a
--- /dev/null
+++ b/learning/k8s-intermediate/config/sec-ctx/index.md
@@ -0,0 +1,38 @@
+---
+vssueId: 108
+layout: LearningLayout
+description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文
+meta:
+  - name: keywords
+    content: Kubernetes教程,K8S教程,Security Context,SecurityContext
+---
+
+# 为Pod或Container配置Security Context
+
+> 参考文档：Kubernetes 官网文档 [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#assign-selinux-labels-to-a-container)
+
+Security Context（安全上下文）用来限制容器对宿主节点的可访问范围，以避免容器非法操作宿主节点的系统级别的内容，使得节点的系统或者节点上其他容器组受到影响。
+
+Security Context可以按照如下几种方式设定：
+
+* 访问权限控制：是否可以访问某个对象（例如文件）是基于 [userID（UID）和 groupID（GID）](https://wiki.archlinux.org/index.php/users_and_groups) 的
+
+* [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux)：为对象分配Security标签
+
+* 以 privileged（特权）模式运行
+
+* [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/)：为容器组（或容器）分配一部分特权，而不是 root 用户的所有特权
+* [AppArmor](https://kubernetes.io/docs/tutorials/clusters/apparmor/)：自 Kubernetes v1.4 以来，一直处于 beta 状态
+* [Seccomp](https://docs.docker.com/engine/security/seccomp/)：过滤容器中进程的系统调用（system call）
+* AllowPrivilegeEscalation（允许特权扩大）：此项配置是一个布尔值，定义了一个进程是否可以比其父进程获得更多的特权，直接效果是，容器的进程上是否被设置 [no_new_privs](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) 标记。当出现如下情况时，AllowPrivilegeEscalation 的值始终为 true：
+  * 容器以 privileged 模式运行
+  * 容器拥有 CAP_SYS_ADMIN 的 Linux Capability
+
+如需要了解更多关于 Linux 安全机制方面的信息，请参考 [Overview Of Linux Kernel Security Features](https://www.linux.com/tutorials/overview-linux-kernel-security-features/)
+
+本文从以下几个方面介绍如何在 Kubernetes 中配置 Security Context
+
+* [为Pod设置Security Context](./pod.html)
+* [为容器设置Security Context](./con.html)
+* [为容器设置Linux Capabilities](./con-cap.html)
+* [为容器设置SELinux标签](./con-sel.html)
diff --git a/learning/k8s-intermediate/config/sec-ctx/pod.md b/learning/k8s-intermediate/config/sec-ctx/pod.md
new file mode 100644
index 0000000..dcfa6b9
--- /dev/null
+++ b/learning/k8s-intermediate/config/sec-ctx/pod.md
@@ -0,0 +1,12 @@
+---
+# vssueId: 64
+layout: LearningLayout
+description: Kubernetes教程_为Pod容器组或Container容器配置Security Context安全上下文
+meta:
+  - name: keywords
+    content: Kubernetes教程,K8S教程,Security Context,SecurityContext
+---
+
+# 为Pod设置Security Context
+
+正在撰写...