When specifying the security context of a Pod you can use several attributes. From a defensive security point of view you should consider:
- To have runASNonRoot as True
- To configure runAsUser
- If possible, consider limiting permissions indicating seLinuxOptions and seccompProfile
- Do NOT give privilege group access via runAsGroup and supplementaryGroups
fsGroup |
A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: |
---|---|
fsGroupChangePolicy |
This defines behavior of changing ownership and permission of the volume before being exposed inside Pod. |
runAsGroup |
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. |
runAsNonRoot |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |
runAsUser |
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. |
seLinuxOptions |
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. |
seccompProfile |
The seccomp options to use by the containers in this pod. |
supplementalGroups |
A list of groups applied to the first process run in each container, in addition to the container's primary GID. |
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. | |
The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. |
This context is set inside the containers definitions. From a defensive security point of view you should consider:
- allowPrivilegeEscalation to False
- Do not add sensitive capabilities (and remove the ones you don't need)
- privileged to False
- If possible, set readOnlyFilesystem as True
- Set runAsNonRoot to True and set a runAsUser
- If possible, consider limiting permissions indicating seLinuxOptions and seccompProfile
- Do NOT give privilege group access via runAsGroup.
Note that the attributes set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
allowPrivilegeEscalation |
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as Privileged or has CAP_SYS_ADMIN |
---|---|
capabilities |
The capabilities to add/drop when running containers. Defaults to the default set of capabilities. |
privileged |
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. |
procMount |
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. |
readOnlyRootFilesystem |
Whether this container has a read-only root filesystem. Default is false. |
runAsGroup |
The GID to run the entrypoint of the container process. Uses runtime default if unset. |
runAsNonRoot |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |
runAsUser |
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. |
seLinuxOptions |
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. |
The seccomp options to use by this container. | |
The Windows specific settings applied to all containers. |