Just deploy it by typing kubectl apply -f ./deploy.yaml in directory k8s.
Static analysis of Deployment
Please note that the container is running as root by default and kubernetes also does not prohibit this by default!
Now you can prove that this container does run with root by using a tool like kubeaudit.
kubeaudit nonroot -n default
This should result in an output similar to this:
INFO[0000] Not running inside cluster, using local config
ERRO[0000] RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed! Container=hello-root...
ERRO[0000] RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed! Container=hello-root...
An alternative tool for this is popeye, just run it against your current cluster:
popeye
It is also possible to check directly your deployment yaml file:
kube-score score ./deploy.yaml
This will show an output similar to this one:
[CRITICAL] Container Security Context
· hello-root -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
· hello-root -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
· hello-root -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory
You may also check that the user of the running container is not root using (check your pod name before):
kubectl get pods
...
kubectl exec hello-root-59f59fb9b8-878rk -it -- whoami
Note: If you have deployed the JIB container image then the base image is a distroless image meaning that no shell and no whoami command is inside the container. Therefore you cannot use the command above.
