Task
分析和编辑给定的Dockerfile /cks/docker/Dockerfile(基于ubuntu:16.04 镜像), 并修复在文件中拥有的突出的安全/最佳实践问题的两个指令。
分析和编辑给定的清单文件 /cks/docker/deployment.yaml , 并修复在文件中拥有突出的安全/最佳实践问题的两个字段。
注意:请勿添加或删除配置设置;只需修改现有的配置设置让以上两个配置设置都不再有安全/最佳实践问题。
注意:如果您需要非特权用户来执行任何项目,请使用用户ID 65535 的用户 nobody 。
只修改即可,不需要创建。
解:
FROM ubuntu:last # 跟题目要求不符,改为对应镜像
USER root
RUN apt-get install -y wget curl gcc gcc-c++ make openssl-devel pcre-devel gd-devel \
iproute net-tools telnet && \
yum clean all && \
rm -rf /var/cache/apt/*
ADD nginx-1.15.5.tar.gz /
RUN cd nginx-1.15.5 && \
./configure --prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-http_stub_status_module && \
make -j 4 && make install && \
mkdir /usr/local/nginx/conf/vhost && \
cd / && rm -rf nginx* && \
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
COPY sunnydale.sh .
ENTRYPOINT ["/sunnydale.sh"]
USER root # 跟题目要求不符,改为nobody
CMD ["./sunnydale.sh"]
ENV PATH $PATH:/usr/local/nginx/sbin
COPY nginx.conf /usr/local/nginx/conf/nginx.conf
WORKDIR /usr/local/nginx
EXPOSE 80
CMD ["nginx","-g","daemon off;"]
apiVersion: apps/v1
kind: Deployment
metadata:
name: couchdb
namespace: default
labels:
app: couchdb
version: stable
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app: couchdb
version: stable
template:
metadata:
labels:
run: couchdb # 这里labels与上面metadata和selector都不符
version: stable
spec:
containers:
- name: couchdb
image: demo:v1
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthCheck
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 30
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthCheck
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 5
ports:
- name: http
containerPort: 8080
protocol: TCP
volumeMounts:
- name: database-storage
mountPath: /var/lib/database
securityContext:
# 这个linux capabilities的配置意思为只开启网口绑定权限,其他权限禁止,然后privileded是超级权限,readOnlyRootFilesystem是以只读方式加载容器的根文件系统,65535的user指的nobody
# 从安全角度考虑,那么privileged应该为false,readOnlyRootFilesystem应该为true,runAsUser应该为65535
{'capabilities': {'add': ['NET_BIND_SERVICE'], 'drop': ['all']}, 'privileged': True, 'readOnlyRootFilesystem': False, 'runAsUser': 65535}
resources:
limits:
cpu: 300m
memory: 500Mi
requests:
cpu: 100m
memory: 100Mi
volumes:
- name: database-storage
emptyDir: {}