Kubernetes 101 : Pod security contexts objects - PodSecurityContext -
For that purpose we could use use a kubernetes object called the
"PodSecurityPolicy".
"PodSecurityPolicy".
When we create a PodSecurityPolicy, each newly created pod will be subject to it.
Pod policies:
Inside the PodSecurityPolicy configuration -Yaml- file, we could use the below parameters:
- allowedCapabilities: dictates which capabilities can be added to a container in the container section of the pod -Yaml- file, as we can see below.
- defaultAddCapabilities: determines the allowed operations added by default to all the created containers.
- requiredDropCapabilities: the abilities mentioned in this parameter are removed from every deployed container.
List of capabilities:
We can get an idea about the capabilities by looking at the Linux "capabilities" documentation.
Here are some examples of these capabilities:
- SETUID: allows the pods to change process UIDs.
- SETGID: allows pods to change process GIDs.
- NET_ADMIN: allows pods to manipulate network interfaces.
- SYS_ADMIN: allows pods to perform a wide range of administrative tasks on the system.
Below is a Yaml file describing the capabilities at the pod level:
Comments