Kubernetes 101: Containers Security - Setuid programs -
When a program has the setuid flag set, it allows a "regular" user to temporarily - only for the duration of the setuid application - to run the application with the privileges of the owner of the file.
For example, the "passwd" program allows "regular" users to run the "passwd" program as "root" to be able to change their password.
To keep that from happening inside containers, we use the "allowPrivilegeEscalation" variable as below:
Security at the cluster level:
The above rule is set at the container level. We could also set it at the cluster level, using a kubernetes object called "PodSecurityPolicy"
as we can see below:
privileged: tells kubernetes whether or not a container can run in a "privileged mode".
readOnlyRootFilesystem: tells kubernetes whether a container can run with a "read-only root filesystem" or not.
runAsUser: in our example above the container can run as any user.
Comments