Kubernetes Pod and Container Security: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 5: Line 5:
=Overview=
=Overview=


Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration, (for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image), in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of Kernel capabilities. The pod and container security contexts are a declarative method to modify all these run-time elements.
Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration, (for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image), in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The pod and container security contexts are a declarative method to modify all these run-time elements.


=Pod Security Context=
=Pod Security Context=

Revision as of 01:30, 20 February 2021

External

Internal

Overview

Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration, (for example, the user and the group various container processes run under are by default specified with the USER directive in the container image), in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts are a declarative method to modify all these run-time elements.

Pod Security Context

Container Security Context

Relationship with Pod Security Policy

For more details see:

Pod Security Policy Concepts

Privileged Mode

Kernel Capabilities