Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Adding Security Contexts to deployment YAMLs

            Created by Shafeen Panjwani, Modified on Thu, 20 Jul, 2023 at 11:11 AM by Shafeen Panjwani

            Introduction

            A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. Below are few security contexts:


            SecurityContext->runAsNonRoot 

            Indicates that containers should run as a non-root user. 

            We can implement the same as follows:

            securityContext:

              runAsUser: 2000


            SecurityContext->Capabilities 

            Controls the Linux capabilities assigned to the container.

            We can implement Linux capabilities. With Linux Capabilities, we can grant certain privileges to a process without granting all the privileges of the root user.  To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest as follows

            securityContext:

              capabilities:

                add: ["NET_ADMIN", "SYS_TIME"]

            The list of capabilities/privileges given to a container will be decided by the client.



            SecurityContext->readOnlyRootFilesystem 

            Controls whether a container will be able to write into the root filesystem.

            We will not be able to implement the same because we have few components which perform the file upload/download/manipulation operations like DMS, Execution..etc. which will get impacted if we use readOnlyFile System.


            PodSecurityContext->runAsNonRoot 

            Prevents running a container with ‘root’ user as part of the pod. 

            We can implement the same. But podSecurityContext overrides the security context defined at container level.


            Sample YAML file

            PFB a sample YAML file for a component. The same can be applied to all other components.
            bff.yaml

            apiVersion: v1

kind: Service

metadata:

  name: bff

  namespace: appveensit

spec:

  type: ClusterIP

  selector:

    app: bff

  ports:

    - protocol: TCP

      port: 80

      targetPort: 11011

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: bff

  namespace: appveensit

spec:

  replicas: 1

  selector:

    matchLabels:

      app: bff

  template:

    metadata:

      labels:

        app: bff

    spec:

      containers:

        - name: bff

          image: my-registry-name:8000/bff:sit5

          imagePullPolicy: Always

          ports:

            - containerPort: 11011

          envFrom:

          - configMapRef:

              name: config

          readinessProbe:

            httpGet:

              path: /api/v1/healthCheck

              port: 11011

              scheme: HTTP

            initialDelaySeconds: 5

            periodSeconds: 10

          securityContext:

            runAsUser: 2000

            capabilities:

              add: ["NET_ADMIN", "SYS_TIME"]

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0