Mutable 與 Immutable 主要是內容能不能被覆寫或者是更新,以 pod 為例,如果修改 pod 內的 image 版本或者是 cmd 會需要將 pod 刪除並重新啟動。
除了 pod 外本章節主要會比較關注的是對檔案的讀寫。
可以參考以下配置
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true # 根檔案系統設為唯讀,無法寫入
privileged: false # 禁用特權模式,無法提權
volumeMounts:
- name: cache-volume # 額外需要存取的檔案可以透過此方式掛載並讀取
mountPath: /var/cache/nginx
- name: runtime-volume
mountPath: /var/run
volumes:
- name: cache-volume
emptyDir: {}
- name: runtime-volume
emptyDir: {}
[1] https://notes.kodekloud.com/docs/Certified-Kubernetes-Security-Specialist-CKS/Monitoring-Logging-and-Runtime-Security/Mutable-vs-Immutable-Infrastructure
[2] https://notes.kodekloud.com/docs/Certified-Kubernetes-Security-Specialist-CKS/Monitoring-Logging-and-Runtime-Security/Ensure-Immutability-of-Containers-at-Runtime