External

• https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
• https://kubernetes.io/docs/concepts/security/pod-security-standards/

Internal

• Kubernetes Security Concepts

Overview

TODO: https://opensource.com/business/15/3/docker-security-tuning

Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the USER directive in the container image -, in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive.

Pod Security Context

The pod security context is a section of the pod manifest that defines privileges and access control settings for the the pod and its containers. Some configuration elements, such as those referring to the pod's volumes, apply at the pod level only. Other configuration elements, like the UID or the GID containers should run with apply to all containers in the pod, and can be overridden by the per-container security context.

What can a Pod Security Context Configure?

Container Security Context

What can a Container Security Context Configure?

Pod Security Policy

A pod security policy is a cluster-level API resource that specifies required values or limits for security-sensitive aspects for pod and container configurations, as configured by the pod security context and container security context. If those values are not present in the pod configuration, the pod security policy provides default values. For more details on pod security policies, see:

Pod Security Policy Concepts

Privileges and Access Control Settings

The following sections document privileges and access control settings that can be set and modified with pod and container security policies and pod seucirty context.

Privileged Mode

Linux (Kernel) Capabilities

Also see:

Linux Capabilities

Organizatorium

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core

A security context defines privileges and access control settings for containers running in a pod. There is a pod-wide security context:

.spec.securityContext

Each container may have its own security context definition:

.spec.containers[].securityContext

The pod security context holds pod-level security attributes and common container settings, which apply to all containers in the pod. Some fields are shared with container security contexts. If the same configuration element is set in both the container security context and the pod security context, the value set in the container security context takes precedence.

Elements specific to the pod security context:

• fsGroup: integer, not quoted in the YAML manifest.
• fsGroupChangePolicy https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
• supplementalGroups
• sysctls

Elements specific to the container security context:

• privileged
• allowPrivilegeEscalation
• readOnlyRootFilesystem
• capabilities
• procMount
• seccompProfile https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container

Elements shared between the pod security context and container security context:

• runAsUser: integer, not quoted in the YAML manifest.
• runAsGroup: integer, not quoted in the YAML manifest.
• runAsNonRoot
• seLinuxOptions