A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. Below are few security contexts:
Indicates that containers should run as a non-root user.
We can implement the same as follows:
Controls the Linux capabilities assigned to the container.
We can implement Linux capabilities. With Linux Capabilities, we can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest as follows
add: ["NET_ADMIN", "SYS_TIME"]
The list of capabilities/privileges given to a container will be decided by the client.
Controls whether a container will be able to write into the root filesystem.
We will not be able to implement the same because we have few components which perform the file upload/download/manipulation operations like DMS, Execution..etc. which will get impacted if we use readOnlyFile System.
Prevents running a container with ‘root’ user as part of the pod.
We can implement the same. But podSecurityContext overrides the security context defined at container level.
Sample YAML file
PFB a sample YAML file for a component. The same can be applied to all other components.
apiVersion: v1 kind: Service metadata: name: bff namespace: appveensit spec: type: ClusterIP selector: app: bff ports: - protocol: TCP port: 80 targetPort: 11011 --- apiVersion: apps/v1 kind: Deployment metadata: name: bff namespace: appveensit spec: replicas: 1 selector: matchLabels: app: bff template: metadata: labels: app: bff spec: containers: - name: bff image: my-registry-name:8000/bff:sit5 imagePullPolicy: Always ports: - containerPort: 11011 envFrom: - configMapRef: name: config readinessProbe: httpGet: path: /api/v1/healthCheck port: 11011 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 securityContext: runAsUser: 2000 capabilities: add: ["NET_ADMIN", "SYS_TIME"]