Kubernetes: Security Contexts

A security context is used in providing operating system level security limitation to pods and containers. A security context is used to control what processes can do within a container. It can be set within a pod specification or container specification. Limitations cans be set based on file-system group, UID and SELINUX roles. Security setting applied to pod can also apply to volumes attached to the pod. Below are sample Security Context examples.

The first example sets a security context that enforces that no container within this pod should run as Root user.

kind: Pod
apiVersion: v1
metadata:
  name: hello
spec:
  securityContext:
    runAsNonRoot: true
  containers:
  - image: busybox
    name: busybox

In this case, we are using a security context within the container that gives privilege to the container and also uses seLinuxOptions.

apiVersion: v1 
kind: Pod 
metadata: 
  name: hello
spec: 
  containers: 
  - image: busybox
    name: busybox
    securityContext: 
        privileged: true 
        seLinuxOptions: 
          level: "s0:c123,c456"

Leave a Reply

Your email address will not be published. Required fields are marked *