Kubernetes Pod and Container Security: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 5: Line 5:
=Overview=
=Overview=


Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration, (for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image), in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different configuration.
Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image -, in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different configuration.


=Pod Security Context=
=Pod Security Context=

Revision as of 01:32, 20 February 2021

External

Internal

Overview

Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the USER directive in the container image -, in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different configuration.

Pod Security Context

Container Security Context

Relationship with Pod Security Policy

For more details see:

Pod Security Policy Concepts

Privileged Mode

Kernel Capabilities