# 第七题 Analyze DockerFile
###### tags: `真题讲解`
切换集群kubectl config use-context k8s
**Task**
Analyze and edit the given Dockerfile (based on the ubuntu:16.04 image) /cks/7/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.
Analyze and edit the given manifest file /cks/7/deployment.yaml fixing two fields present in the file being prominent security/best-practice issues.
## 解法
题目会告诉你最大修正两处错误, 你只能改/删, 不能增.
第一部分, 题目Dockerfile仿真, 中间夹杂着一堆无关紧要的内容
```
FROM ubuntu:latest
LABEL maintainer="Rock Zang"
USER root
RUN apt-get update -y \
&& apt-get install -y nocache net-tools \
iputils-ping \
curl \
netcat \
iperf \
iperf3 \
wget
RUN useradd -u 1001 -r rock
USER rock
ENTRYPOINT ["tail", "-f", "/dev/null"]
```
题目会明确告诉你, 如果需要使用最小权限用户, 用户名必须为nobody, 其用户组为65535, 根据题意修改Dockerfile:
```
FROM ubuntu:latest
LABEL maintainer="Rock Zang"
USER root
RUN apt-get update -y \
&& apt-get install -y nocache net-tools \
iputils-ping \
curl \
netcat \
iperf \
iperf3 \
wget
RUN useradd -u 65535 -r nobody
USER nobody
ENTRYPOINT ["tail", "-f", "/dev/null"]
```
第二部分, 查看指定的YAML, 大概率是个Deployment, 重点关注在SecurityContext部分, 是否存在readOnlyRootFilesystem: false 或者privileged: true, 有就删掉.
也要留意是否存在将密码保存在环境变量中.
Sign in with Wallet
Connect another wallet