有没有办法只允许某些名称空间或用户启动特权pod?我需要在启用了特权模式的容器中启动某项服务,但我不想将此功能授予所有用户。
使用kubelet运行--allow-privileged=true似乎允许任何人运行特权容器。
答案 0 :(得分:1)
Right now, I don't believe this is possible. I think PodSecurityPolicy may eventually be the way to accomplish this, but right now, it is a non-namespaced object. Some of the work is still ongoing, and you can track it on Kubernetes Issue #23217.