- How to mirror Docker security options in Kubernetes
- The difference between Pod-level and Container-level configurations
- Best practices for applying user IDs and Linux capabilities
Why Security Contexts Matter
Security contexts help you enforce least-privilege container execution:- Define which Linux user or group a container runs as
- Grant or restrict Linux capabilities (e.g.,
NET_ADMIN,SYS_TIME) - Enable Pod-level settings that apply to all containers
Security Context Levels
Kubernetes lets you apply security contexts at two scopes:| Level | Applies To | Common Settings |
|---|---|---|
| Pod-level | All containers in a Pod | runAsUser, runAsGroup, fsGroup |
| Container-level | A single container | runAsUser, runAsGroup, capabilities, privileged |
Pod-Level Security Context
A Pod-level security context propagates settings to every container within that Pod. This is ideal for defining a consistent user and group ID across all containers.You cannot set Linux capabilities (
capabilities.add) at the Pod level. To grant capabilities, use a container-level security context.Container-Level Security Context
When you need fine-grained control—such as adding or dropping specific Linux capabilities—apply the security context directly to the container:Running containers in
privileged mode grants all Linux capabilities and should be avoided unless absolutely necessary.Best Practices
- Always run containers as non-root users (
runAsUser≥ 1000). - Use Pod-level context for uniform settings; override at the container level only when needed.
- Drop unnecessary capabilities (
capabilities.drop: ["ALL"]) and add only those required.