Let's secure your containers
Kubernetes
1. Copy the YAML below and save it into a file like phonito-deployment.yml
2. Deploy it into your cluster bu running kubectl apply -f phonito-deployment.yml
apiVersion: v1
kind: Namespace
metadata:
name: phonito
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
app: phonito-scanner
name: phonito-scanner
namespace: phonito
spec:
selector:
matchLabels:
app: phonito-scanner
template:
metadata:
creationTimestamp: null
labels:
app: phonito-scanner
name: phonito-scanner
spec:
automountServiceAccountToken: false
containers:
- env:
- name: PHONITO_API_TOKEN
value: GET YOUR API TOKEN HERE https://phonito.io/setup
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
image: phonito/scanner
imagePullPolicy: Always
name: phonito-scanner
resources:
limits:
cpu: 300m
memory: 300Mi
requests:
cpu: 300m
memory: 300Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
- SYS_PTRACE
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker
- mountPath: /hostfs
name: hostfs
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
shareProcessNamespace: false
terminationGracePeriodSeconds: 30
volumes:
- hostPath:
path: /var/run/docker.sock
type: ""
name: docker
- hostPath:
path: /
type: ""
name: hostfs
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate You should be able to see 1 pod per node in your cluster running, allow a few minutes and check the Nodes page to check everything is working fine.
Copyright Phonito 2019