305-998-7702 | 415-800-2922 info@rx-m.com

SecurityContext

Learn how to put the latest open source technology into practice with hands-on training, delivered by industry experts, aligned to your desired business outcomes

This is a setting in a PodSpec that enhances security for one or all of the containers in a pod and have the following settings:

  • Discretionary Access Control – define user ID (UID) and group ID (GID) settings for processes inside containers
  • Security Enhanced Linux (SELinux) – invoke predefined security labels
  • Linux Capabilities – coarse-grained control of system calls to the Linux kernel in a whitelist or blacklist
    • Marking a pod with privileged = true grants all capabilities
  • AppArmor – invoke predefined program profiles to restrict the capabilities of individual programs
  • Seccomp – Fine-grained control over a process’s system calls through the use of json policies
  • AllowPrivilegeEscalation – Controls whether a process can gain more privileges than its parent

SecurityContext settings can be set for the pod and/or each container in the pod, for example:

apiVersion: v1
kind: Pod
metadata:
  name: ckad-training-pod
spec:
  securityContext:              # pod securitycontext
    fsGroup: 2000
  containers:
  - name: ckad-training-container
    image: nginx
    securityContext:            # container securitycontext
      capabilities:
        add: ["NET_ADMIN"]

Learn more about SecurityContexts.