Kubernetes Pod and Container Security: Difference between revisions
Jump to navigation
Jump to search
| Line 5: | Line 5: | ||
=Overview= | =Overview= | ||
Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image -, in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive. | Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image -, in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The [[#Pod_Security_Context|pod]] and [[#Container_Security_Context|container]] security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive. | ||
=Pod Security Context= | =Pod Security Context= | ||
Revision as of 01:51, 20 February 2021
External
Internal
Overview
Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the USER directive in the container image -, in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive.
Pod Security Context
Container Security Context
Relationship with Pod Security Policy
For more details see: