Closed mktkhr closed 2 months ago
mktkhr
commented
2 months ago PSAはnamespaceに対して適用する 既存のnamespaceは手動で作成していたので,明示的にmanifestで定義した方がいい
apiVersion: v1
kind: Namespace
metadata:
name: hogehoge-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/audit: restricted
一応既存にも適用できる
kubectl label --overwrite namespace hogehoge-ns pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=restricted
mktkhr
commented
2 months ago 特権ユーザーでないため純正のimageだとwell-knownポート(80)から分離させる必要がありそう
ログファイルに書き込む権限がないのでdockerfile側で変更する必要がある
06:14:01,603 |-INFO in ch.qos.logback.core.rolling.RollingFileAppender[FILE] - Active log file name: ./logs/application.log
06:14:01,603 |-INFO in ch.qos.logback.core.rolling.RollingFileAppender[FILE] - File property is set to [./logs/application.log]
06:14:01,607 |-ERROR in ch.qos.logback.core.rolling.RollingFileAppender[FILE] - Failed to create parent directories for [/./logs/application.log]
06:14:01,618 |-ERROR in ch.qos.logback.core.rolling.RollingFileAppender[FILE] - openFile(./logs/application.log,true) call failed. java.io.FileNotFoundException: ./logs/application.log (No such file or directory)
at java.io.FileNotFoundException: ./logs/application.log (No such file or directory)
at at java.base/java.io.FileOutputStream.open0(Native Method)
目的
期待結果