Kubernetes Security Contexts
Container Security
When we run a docker container, we have the option to define a set of security standards such as Id of the user to run the container, the linux capabilities that can be added or removed from the container etc,. These can be configured in kubernetes as well.
In kubernetes containers are encapsulated in PODs. We may choose to configure the security settings at a container level or at a POD level. If we configure it at POD level, the settings will carry over to all the containers within the POD. If we configure it at both container and POD, the settings on the container will overwrite the settings on the POD.
To set the security at POD level.
pod-definition file
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
securityContext:
# Setting the user
runAsUser: 1000
conatiners:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]
To set the security at container level, move the securityContext
section under the container specification as below.
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
conatiners:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]
securityContext:
# Setting the user
runAsUser: 1000
capabilities:
add: ["MAC_ADMIN"]
To add the capabilities use the capabilities option and specify a list of capabilities to add to the POD.
"Capabilities are only supported at the container level and not at the POD level."