Introduction
A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. Below are few security contexts:
SecurityContext->runAsNonRoot
Indicates that containers should run as a non-root user.
We can implement the same as follows:
securityContext:
runAsUser: 2000
SecurityContext->Capabilities
Controls the Linux capabilities assigned to the container.
We can implement Linux capabilities. With Linux Capabilities, we can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest as follows
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
The list of capabilities/privileges given to a container will be decided by the client.
SecurityContext->readOnlyRootFilesystem
Controls whether a container will be able to write into the root filesystem.
We will not be able to implement the same because we have few components which perform the file upload/download/manipulation operations like DMS, Execution..etc. which will get impacted if we use readOnlyFile System.
PodSecurityContext->runAsNonRoot
Prevents running a container with ‘root’ user as part of the pod.
We can implement the same. But podSecurityContext overrides the security context defined at container level.
Sample YAML file
PFB a sample YAML file for a component. The same can be applied to all other components.
bff.yaml
apiVersion: v1 kind: Service metadata: name: bff namespace: appveensit spec: type: ClusterIP selector: app: bff ports: - protocol: TCP port: 80 targetPort: 11011 --- apiVersion: apps/v1 kind: Deployment metadata: name: bff namespace: appveensit spec: replicas: 1 selector: matchLabels: app: bff template: metadata: labels: app: bff spec: containers: - name: bff image: my-registry-name:8000/bff:sit5 imagePullPolicy: Always ports: - containerPort: 11011 envFrom: - configMapRef: name: config readinessProbe: httpGet: path: /api/v1/healthCheck port: 11011 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 securityContext: runAsUser: 2000 capabilities: add: ["NET_ADMIN", "SYS_TIME"]
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article