Kubernetes Pod and Container Security

From NovaOrdis Knowledge Base
Revision as of 01:33, 20 February 2021 by Ovidiu (talk | contribs) (→‎Overview)
Jump to navigation Jump to search

External

Internal

Overview

Containers instantiated from container images and running in pods in a Kubernetes cluster are executing by default with container image configuration - for example, the user and the group various container processes run under are by default specified with the USER directive in the container image -, in non-privileged mode and using a pre-defined set of kernel capabilities. The pod and container security contexts, described below, are a declarative method to modify all these run-time settings and get the containers to run with a different run-time configuration.

Pod Security Context

Container Security Context

Relationship with Pod Security Policy

For more details see:

Pod Security Policy Concepts

Privileged Mode

Kernel Capabilities