K8s 文档有一个受限 PodSecurityPolicy 的示例:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example-policies
它限制 'supplementalGroups' 和 'fsGroup' 但不限制 'runAsGroup'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
因此它允许 securityContext 中的容器指定 id 为 0 的根组。这不是问题吗?不应该以下
runAsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
被添加到限制性 PodSecruityPolicy 中?