Kubernetes 101 : Securing your pods - Security Contexts -
Kubernetes provides us with a security mechanism that makes it possible for us to limit what the programs running inside containers could do.
A security context sets privileges for containerized applications.
We could apply it to containers and also to pods.
Some of the security mechanisms include:
- Discretionary access control or DAC : sets access permissions to files, based on their UID - User ID - or GID - Group ID -.
- Capabilities : uses "capabilities" to give granular rights, for example the "CHOWN" capability allows us to change the GID/UID of a file.
In The pod's Yaml file, we could use the securityContext parameter in the pod's section or in a specific container in the container's section.
Example:
- All containers within the pod run under user "1001" specified in the "runAsUser" parameter.
- To prevent files from using extra capabilities, we also set the "allowPrivilegeEscalation" parameter to false.
We can now create the pod using the below:
Then we check if the containers run under the specified identifier as mentioned in the "runAsUser" parameter by running the "id" command inside each one of the two containers "web" and "linux":
Comments