Kubernetes: Security Contexts
Kubernetes security contexts define runtime security settings for pods or containers. If no security context is specified, Kubernetes applies a default one, which may not meet requirements. You can add
securityContextfield in the pod manifest file to set up security contexts at the pod or container level. Pod-level settings inherited by all containers and container-level settings only applying to that container. Container-level settings always override pod-level settings. Thecapabilitiesfield adds specific capabilities to a container’s security context at the container level, not possible at the pod level.
Security Contexts
Security context in Kubernetes defines security settings for pods or containers at runtime. It includes settings such as Linux capabilities, SELinux, AppArmor profiles, user and group IDs, and more.
If you do not specify a security context for your pod or container, Kubernetes will apply a default security context. However, this default security context may not be sufficient to meet your security requirements, as it grants full access to the host system and resources. Therefore, it is important to define security contexts for your pods and containers to ensure that they meet your security needs.
You can define the securityContext field in the Pod manifest file to set up a security context for your pod or container.
Specify Security Context at the Pod Level
When specifying securityContext at the pod level, the settings are inherited by all the containers within that pod.
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000
containers:
- name: container1
image: nginx
- name: container2
image: busyboxIn this example, the securityContext field has been defined at the Pod level with the runAsUser and fsGroup properties set to 1000 and 2000 respectively. Therefore, both containers will run as the user with UID 1000 and have access to the group with GID 2000.
Specify Security Context at the Container Level
securityContext specified at the container level only apply to the individual container, not to other containers in the pod.
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: container1
image: nginx
securityContext:
runAsUser: 1000
- name: container2
image: busybox
securityContext:
runAsUser: 2000In this example, each container in the pod has its own security context specified with the securityContext field. The runAsUser field is specified with a different value for each container. container1 runs with user ID 1000, while container2 runs with user ID 2000, and there is no inheritance or sharing of the security context between the two containers.
Specify Security Context at the Pod and Container Level
securityContext sets at the container level always override those set at the pod level.
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
securityContext:
runAsUser: 1000
containers:
- name: my-container
image: my-image
securityContext:
runAsUser: 2000In this example, the pod-level securityContext sets the runAsUser value to 1000, while the container-level securityContext sets the runAsUser value to 2000, which overrides the pod-level security context. This means that the container will run with the user ID of 2000, regardless of the pod-level setting.
Add Capabilities to Containers
Set capabilities for a container. capabilities can NOT be specified at the pod level.
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: my-container
image: my-image
securityContext:
capabilities:
add: ["NET_ADMIN"]In this example, the NET_ADMIN capability is added to the securityContext of the my-container container.
These are my personal notes for CKA exam preparation on Kubernetes. Please feel free to correct me if you notice any errors. 😊
Reference:
