Security Contexts

Welcome to this comprehensive lesson on security contexts in Kubernetes. In this tutorial, Mumshad Mannambeth explains how to enhance container security by configuring user IDs and Linux capabilities.

Security Options in Docker

Before diving into Kubernetes, here are two examples of how to run Docker containers with specific security settings:

docker run --user=1001 ubuntu sleep 3600
docker run --cap-add MAC_ADMIN ubuntu

These commands illustrate how to set the user ID and modify Linux capabilities when running a container.

Applying Security Contexts in Kubernetes

Kubernetes encapsulates containers within pods, offering flexibility in security configurations. You can apply a security context at the pod level to affect all containers or at the container level, where container settings override the pod defaults if both are specified.

Example: Pod Definition with Container-Level Security Context

The following YAML file defines a pod where an Ubuntu container runs the sleep command. Notice how the security context is set to run the container as user 1000 and includes the added capability MAC_ADMIN.

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  containers:
    - name: ubuntu
      image: ubuntu
      command: ["sleep", "3600"]
      securityContext:
        runAsUser: 1000
        capabilities:
          add: ["MAC_ADMIN"]

Next Steps

That’s the end of this lesson on security contexts in Kubernetes. Practice viewing, configuring, and troubleshooting these contexts within your clusters using the coding exercises provided. For more detailed guidance on Kubernetes security, be sure to explore related documentation and resources.

Happy coding, and see you in the next lesson!

Additional Resources

• Kubernetes Overview
• Kubernetes Documentation
• Docker Documentation