Scenario
You are required to convert the existing Pod manifest into an immutable container by enforcing Kubernetes security best practices while ensuring that nginx continues to operate correctly.
A Pod manifest is located at:
/home/laborant/immutable/api-server.yaml
Configure the container to use a read-only root filesystem and disable privilege escalation.
Add emptyDir volumes and mount them at /var/cache/nginx and /var/run. Without these, nginx cannot write its runtime files and the Pod will fail to start.
Update and apply the manifest, then attempt to create a file inside the container and store the resulting read-only filesystem error in:
/home/laborant/immutable/error.log
Do not modify the container image. Update the manifest with the required security context and volumes, then apply it.
Hint
Use emptyDir: {} volumes and mount them to /var/cache/nginx and /var/run. Use kubectl exec to try creating a file outside the writable mounts, then redirect stderr to the error log file using 2>. See the official docs: Configure a Security Context