On a cluster level, we can decide which operations a container is allowed to perform. 
For that purpose we could use use a kubernetes object called the
"PodSecurityPolicy".

When we create a PodSecurityPolicy, each newly created pod will be subject to it.

Pod policies:

Inside the PodSecurityPolicy configuration -Yaml- file, we could use the below parameters:

- allowedCapabilities: dictates which capabilities can be added to a container in the container section of the pod -Yamlfile, as we can see below.

- defaultAddCapabilities: determines the allowed operations added by default to all the created containers.

- requiredDropCapabilities: the abilities mentioned in this parameter are removed from every deployed container.

List of capabilities:

We can get an idea about the capabilities by looking at the Linux "capabilities" documentation.

Here are some examples of these capabilities:
  • SETUID: allows the pods to change process UIDs.
  • SETGID: allows pods to change process GIDs.
  • NET_ADMIN: allows pods to manipulate network interfaces.
  • SYS_ADMIN: allows pods to perform a wide range of administrative tasks on the system.

Below is a Yaml file describing the capabilities at the pod level:


And here, we have is a Yaml file describing an example of the capabilities at the container level:


Brando Sabatini and Ikbal C ©. Powered by Blogger.