bureaucraten, interfacemoderatoren, Beheerders (Semantic MediaWiki), Curatoren (Semantic MediaWiki), Redacteuren (Semantic MediaWiki), toezichthouders, beheerders
205
bewerkingen
Projects:Kubernetes: verschil tussen versies
Naar navigatie springen
Naar zoeken springen
→To do
(→To do) |
|||
| Regel 616: | Regel 616: | ||
* Security Contexts | * Security Contexts | ||
** Refuse pods with host networking | ** Refuse pods with host networking | ||
** Refuse | ** Refuse PVs with hostpath mounts | ||
** Allow K8s API communication from a pod, but only to receive information about itself | ** Allow K8s API communication from a pod, but only to receive information about itself | ||
** Basically: Make it impossible to root a node even with "broad" privileges on the Kubernetes API server | ** Basically: Make it impossible to root a node even with "broad" privileges on the Kubernetes API server | ||
* Limiting pods in memory, CPU, I/O | * Limiting pods in memory, CPU, I/O | ||
* Limiting pods in network communication | * Limiting pods in network communication | ||