# 실습
### Security Context
1. Pod 생성
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
EOF
2. 컨테이너에서 프로세스를 실행중인 유저 확인
kubectl exec nginx -- id
3. 프로세스 유틸리티 설치
```
kubectl exec nginx -- bash -c "apt update && apt install -y procps"
```
4. 실행중인 프로세스 확인
```
kubectl exec nginx -- ps aux
```
5. *nginx* 유저 확인
```
kubectl exec nginx -- id nginx
```
6. Pod 재생성
```
cat <cat <<EOF | kubectl replace --force -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx
data:
nginx.conf: |
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
securityContext:
runAsNonRoot: true
runAsUser: 101
containers:
- image: youngwjung/nginx-nonroot
name: nginx
ports:
- containerPort: 80
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: nginx-conf
configMap:
name: nginx
items:
- key: nginx.conf
path: nginx.conf
EOF
23. Pod 상태 확인
```
kubectl get pod nginx
```
24. 컨테이너가 정상적으로 실행중인지 확인
```
kubectl exec nginx -- curl -s localhost:8080
```
25. 새로운 Pod 생성
```
cat <cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
spec:
containers:
- image: ubuntu
name: ubuntu
command: ["sleep", "3600"]
EOF
2. 새로운 리눅스 네임스페이스를 만드는 명령어 실행
```
kubectl exec -it ubuntu -- unshare
```
3.
4. Pod 생성
```
cat <
35. 새로운 Node가 생성되었는지 확인
```
kubectl get node
```
36. 한개의 Node로 Session Manager 연결
```
aws ssm start-session --target \
$(kubectl get node -o jsonpath='{.items[0].spec.providerID}{"\n"}' | grep -oE "i-[a-z0-9]+")
```
37. Calico CNI가 생성한 iptable 규칙들이 남아 있는지 확인
```
sudo iptables-save | grep -i cali
```
38. Session Manager 종료
```
exit
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kubernetes.youngwjung.com/advanced-topics/security/lab.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.