Introduction

A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. Below are few security contexts:


SecurityContext->runAsNonRoot 

Indicates that containers should run as a non-root user. 

We can implement the same as follows:

securityContext:

  runAsUser: 2000


SecurityContext->Capabilities 

Controls the Linux capabilities assigned to the container.

We can implement Linux capabilities. With Linux Capabilities, we can grant certain privileges to a process without granting all the privileges of the root user.  To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest as follows

securityContext:

  capabilities:

    add: ["NET_ADMIN", "SYS_TIME"]

The list of capabilities/privileges given to a container will be decided by the client.



SecurityContext->readOnlyRootFilesystem 

Controls whether a container will be able to write into the root filesystem.

We will not be able to implement the same because we have few components which perform the file upload/download/manipulation operations like DMS, Execution..etc. which will get impacted if we use readOnlyFile System.


PodSecurityContext->runAsNonRoot 

Prevents running a container with ‘root’ user as part of the pod. 

We can implement the same. But podSecurityContext overrides the security context defined at container level.


Sample YAML file

PFB a sample YAML file for a component. The same can be applied to all other components.
bff.yaml

apiVersion: v1

kind: Service

metadata:

  name: bff

  namespace: appveensit

spec:

  type: ClusterIP

  selector:

    app: bff

  ports:

    - protocol: TCP

      port: 80

      targetPort: 11011

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: bff

  namespace: appveensit

spec:

  replicas: 1

  selector:

    matchLabels:

      app: bff

  template:

    metadata:

      labels:

        app: bff

    spec:

      containers:

        - name: bff

          image: my-registry-name:8000/bff:sit5

          imagePullPolicy: Always

          ports:

            - containerPort: 11011

          envFrom:

          - configMapRef:

              name: config

          readinessProbe:

            httpGet:

              path: /api/v1/healthCheck

              port: 11011

              scheme: HTTP

            initialDelaySeconds: 5

            periodSeconds: 10

          securityContext:

            runAsUser: 2000

            capabilities:

              add: ["NET_ADMIN", "SYS_TIME"]