-
Notifications
You must be signed in to change notification settings - Fork 0
/
hello_server_pod.yaml
49 lines (48 loc) · 1.43 KB
/
hello_server_pod.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# The hello-server pod has two containers:
# An HTTP server that displays "Hello, world"
# A file integrity monitoring sidecar
apiVersion: v1
kind: Pod
metadata:
name: hello-server
labels:
app.kubernetes.io/name: hello
annotations:
# This annotation isn't actually used. It
# would be nice if we had a dynamic admission
# controller to generate the FIM container to
# monitor the files specified via annotations.
"hammingweight.com/monitored_files": "/home/hellouser/index.html"
spec:
shareProcessNamespace: true
containers:
# The "Hello, world" application container
- image: docker.io/hammingweight/hello_server:1.0.2
name: hello-server
ports:
- containerPort: 8000
name: http
protocol: TCP
# The sidecar container
- image: docker.io/hammingweight/fim:1.0.1
name: fim
# We need to run as privileged to access
# the files in the hello-server container
securityContext:
capabilities:
drop:
- ALL
add:
- DAC_READ_SEARCH
- KILL
- SYS_PTRACE
livenessProbe:
# We check that the application server
# hasn't been compromised by checking that
# the hash of index.html is 746308...
exec:
command:
- /bin/ash
- /healthz
- /home/hellouser/index.html
- 746308829575e17c3331bbcb00c0898b