Let's secure your containers

Kubernetes

1. Copy the YAML below and save it into a file like phonito-deployment.yml
2. Deploy it into your cluster bu running kubectl apply -f phonito-deployment.yml

apiVersion: v1
kind: Namespace
metadata:
  name: phonito

---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    app: phonito-scanner
  name: phonito-scanner
  namespace: phonito
spec:

  selector:
    matchLabels:
      app: phonito-scanner
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: phonito-scanner
      name: phonito-scanner
    spec:
      automountServiceAccountToken: false
      containers:
      - env:
        - name: PHONITO_API_TOKEN
          value: GET YOUR API TOKEN HERE https://phonito.io/setup
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        image: phonito/scanner
        imagePullPolicy: Always
        name: phonito-scanner
        resources:
          limits:
            cpu: 300m
            memory: 300Mi
          requests:
            cpu: 300m
            memory: 300Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - SYS_ADMIN
            - SYS_PTRACE
          privileged: false
          readOnlyRootFilesystem: false
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: docker
        - mountPath: /hostfs
          name: hostfs
      dnsPolicy: ClusterFirst
      hostNetwork: true
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      shareProcessNamespace: false
      terminationGracePeriodSeconds: 30
      volumes:
      - hostPath:
          path: /var/run/docker.sock
          type: ""
        name: docker
      - hostPath:
          path: /
          type: ""
        name: hostfs
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate

You should be able to see 1 pod per node in your cluster running, allow a few minutes and check the Nodes page to check everything is working fine.

Get Started For Free

Copyright Phonito 2019