Kubernetes Pod and Container Security: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
Line 6: Line 6:


Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image -, in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The [[#Pod_Security_Context|pod]] and [[#Container_Security_Context|container]] security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive.
Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the [[Dockerfile#USER|USER directive]] in the container image -, in [[#Privileged_Mode|non-privileged mode]] and using a pre-defined set of [[#Kernel_Capabilities|kernel capabilities]]. The [[#Pod_Security_Context|pod]] and [[#Container_Security_Context|container]] security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive.
=Container Security Context=


=Pod Security Context=
=Pod Security Context=


=Container Security Context=
=Pod Security Policy=


=Relationship with Pod Security Policy=
=Relationship with Pod Security Policy=

Revision as of 03:27, 20 February 2021

External

Internal

Overview

Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the USER directive in the container image -, in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration. As the name implies, all configuration elements controlled by security contexts are security sensitive.

Container Security Context

Pod Security Context

Pod Security Policy

Relationship with Pod Security Policy

For more details see:

Pod Security Policy Concepts

Privileged Mode

Kernel Capabilities

Organizatorium

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core

A security context defines privileges and access control settings for containers running in a pod. There is a pod-wide security context:

.spec.securityContext

Each container may have its own security context definition:

.spec.containers[].securityContext

The pod security context holds pod-level security attributes and common container settings, which apply to all containers in the pod. Some fields are shared with container security contexts. If the same configuration element is set in both the container security context and the pod security context, the value set in the container security context takes precedence.

Elements specific to the pod security context:

Elements specific to the container security context:

Elements shared between the pod security context and container security context: