Kubernetes Pod and Container Security: Difference between revisions
| Line 11: | Line 11: | ||
=Overview= | =Overview= | ||
A container instantiated from its image by a container runtime executes by default with access control settings and privileges defined in the image metadata. For example the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image. The processes in the container get by default only a limited set of [[Linux_Capabilities#Overview|Linux capabilities]]. | A container instantiated from its image by a container runtime executes by default with access control settings and privileges defined in the image metadata. For example the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image. The processes in the container run by default in [[Linux_Security_Concepts#Unprivileged_Container|unprivileged mode]] and get by default only a limited set of [[Linux_Capabilities#Overview|Linux capabilities]]. | ||
Revision as of 23:07, 1 March 2021
External
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- https://kubernetes.io/docs/concepts/security/pod-security-standards/
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core
Internal
Overview
A container instantiated from its image by a container runtime executes by default with access control settings and privileges defined in the image metadata. For example the user and the group various container processes run under are by default specified with the USER directive in the container image. The processes in the container run by default in unprivileged mode and get by default only a limited set of Linux capabilities.
Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the USER directive in the container image -, in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive.
Pod Security Context
The pod security context is a pod-wide section of the pod manifest that defines privileges and access control settings for the pod and all containers running in the pod.
The pod security context holds pod-level security attributes and common container settings that apply to all containers in the pod. Some configuration elements, such as those referring to the pod's volumes, make sense at the pod level only. Other configuration elements, such as the UID or the GID containers run with, are shared with the container security contexts, and when specified in the pod security context, apply to all containers in the pod. Those fields can be overridden by the per-container security context. If the same configuration element is set in both the container security context and the pod security context, the value set in the container security context takes precedence.
kind: Pod
[...]
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
[...]
Elements Specific to the Pod Security Context
- fsGroup: integer, not quoted in the YAML manifest.
- fsGroupChangePolicy https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
- supplementalGroups
- sysctls
- runAsUser: integer, not quoted in the YAML manifest.
- runAsGroup: integer, not quoted in the YAML manifest.
- runAsNonRoot
- seLinuxOptions
Container Security Context
Each container may have its own security context definition:
kind: Pod
[...]
spec:
containers:
- name: some-container
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
[...]
Elements Specific to the Container Security Context
- privileged
- allowPrivilegeEscalation
- readOnlyRootFilesystem
- capabilities
- procMount
- seccompProfile https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container
Pod Security Policy
A pod security policy is a cluster-level API resource that specifies required values or limits for security-sensitive aspects for pod and container configurations, as configured by the pod security context and container security context. If those values are not present in the pod configuration, the pod security policy provides default values. For more details on pod security policies, see:
Privileges and Access Control Settings
The following sections document privileges and access control settings that can be set and modified with pod and container security policies and pod seucirty context.
Discretionary Access Control
The permissions to access files in a container are based on the User ID and Group ID. More about Discretionary Access Control is available here:
runAsUser
runAsGroup
If this field is omitted, the primary group ID of the container will be root(0).
supplementalGroups
runAsNonRoot
Privileged Mode
Linux (Kernel) Capabilities
Also see: