kubernetes: Security Context





After studying two As of security ( authentication,authorization ) , next is the admission control.


Kubernetes admission controllers are a powerful Kubernetes-native feature that helps you define and customize what is allowed to run on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized . It decides and do as directed after finding answers to below questions.


  • Is the pod requesting too many resources?

  • Are the base images used to spawn the micro service pods secure?

  • What is the priority of this deployment compared to the others?

  • For example, if the cluster is out of resources and needs to evict pods

  • Which privileges are currently granted to the service account linked to this pods/deployments?

  • Do they adhere to the principle of least privilege?


Security Contexts


A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to:

Example: Set security context for a pod

To specify security settings for a Pod, include the securityContext field in the Pod specification. The securityContext field is a PodSecurityContext object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext and an emptyDir volume:

In the configuration file, the runAsUser field specifies that for any Containers in the Pod, all processes run with user ID 1000. The runAsGroup field specifies the primary group ID of 3000 for all processes within any containers of the Pod. If this field is omitted, the primary group ID of the containers will be root(0). Any files created will also be owned by user 1000 and group 3000 when runAsGroup is specified. Since fsGroup field is specified, all processes of the container are also part of the supplementary group ID 2000. The owner for volume /data/demo and any files created in that volume will be Group ID 2000.


We are going to create one such security context now.


[linuxadvise@linuxadvise ~]$ cat pod-security-context-demo.yaml
##pods/security/security-context.yaml

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false
      
      ## kubectl create -f pod-security-context-demo.yaml


[linuxadvise@linuxadvise ~]$ kubectl exec -it security-context-demo -- sh
/ $ cd data/demo/
/data/demo $ ls
a
/data/demo $ ls -lrt
total 0
-rw-r--r-- 1 1000 2000 0 Jul 29 17:05 a
/data/demo $

This is how a security context works. Container will behave as per the attached security context.








47 views0 comments

Recent Posts

See All