Kubernetes Security Contexts

Container Security

When we run a docker container, we have the option to define a set of security standards such as Id of the user to run the container, the linux capabilities that can be added or removed from the container etc,. These can be configured in kubernetes as well.

In kubernetes containers are encapsulated in PODs. We may choose to configure the security settings at a container level or at a POD level. If we configure it at POD level, the settings will carry over to all the containers within the POD. If we configure it at both container and POD, the settings on the container will overwrite the settings on the POD.

To set the security at POD level.

pod-definition file

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  securityContext: 
    # Setting the user
    runAsUser: 1000
  conatiners:
    - name: ubuntu
      image: ubuntu
      command: ["sleep", "3600"]

To set the security at container level, move the securityContextsection under the container specification as below.

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  conatiners:
    - name: ubuntu
      image: ubuntu
      command: ["sleep", "3600"]
      securityContext: 
        # Setting the user
        runAsUser: 1000
        capabilities: 
           add: ["MAC_ADMIN"]

To add the capabilities use the capabilities option and specify a list of capabilities to add to the POD.

"Capabilities are only supported at the container level and not at the POD level."