@Mumshad Mannambeth Need help with 2 questions 1. When we have an existing pod a . . .

Kubernetes
#1

Jia:
@Mumshad Mannambeth Need help with 2 questions

  1. When we have an existing pod and we want to modify it, we do kubectl get <podname> -o yaml > some.yaml
    This some.yaml has too much extra data also suppose we tend to just change the serviceaccountName but we also have the volumeMount we get by default due to default serviceaccountoken and forgot to remove it… whats the best way to modify the existing pod and how to extract just the relevant data ?
  2. in mock1, question 4 it says run the pod on node01 and i had given nodeName in metadata but answer doesnt has it… how does the seccomp profile detects on which localhost to run the seccomp if nodeName is not given
    answer given under /var/answers is
controlplane $ cat /var/answers/answer4.md
#Copy the audit.json seccomp profile to /var/lib/kubelet/seccomp/profiles in node01:
$ mv /root/audit.json /var/lib/kubelet/seccomp/profiles


# Recreate the pod using the below YAML File
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: audit-nginx
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json
  containers:
  - image: nginx
    name: nginx
controlplane $

Screen Shot 2021-06-06 at 5.25.10 PM.png
Screen Shot 2021-06-06 at 5.25.10 PM.png1217×209 30.8 KB

#2

Mohamed Ayman:

  1. These additional fields in the new version of Kubernetes.
    You can only exclude some of these fields using grep command to decrease the file:

kubectl get pod nginx -o yaml | grep -v “f:” > pod.yaml

#3

Mohamed Ayman:
2. You have to ssh into node01 before copying

#4

Mohamed Ayman:
$ ssh node01
$ cp /root/CKS/audit.json /var/lib/kubelet/seccomp/profiles

#5

Jia:
@Mohamed Ayman So in 2. we dont need to put nodeName in spec… if you are copying to a node directly or node has the seccomp profile in it it automatically detects it ?
what about if cluster has 2 workers and both have profiles in it with same name different rules, how will it detect which worker node to use seccomp profile if you dont put nodeName or nodeSelector in it ?