Adding Security Contexts to deployment YAMLs

Created by Shafeen Panjwani, Modified on Thu, 20 Jul, 2023 at 11:11 AM by Shafeen Panjwani

Introduction

A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. Below are few security contexts:


SecurityContext->runAsNonRoot 

Indicates that containers should run as a non-root user. 

We can implement the same as follows:

securityContext:

  runAsUser: 2000


SecurityContext->Capabilities 

Controls the Linux capabilities assigned to the container.

We can implement Linux capabilities. With Linux Capabilities, we can grant certain privileges to a process without granting all the privileges of the root user.  To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest as follows

securityContext:

  capabilities:

    add: ["NET_ADMIN", "SYS_TIME"]

The list of capabilities/privileges given to a container will be decided by the client.



SecurityContext->readOnlyRootFilesystem 

Controls whether a container will be able to write into the root filesystem.

We will not be able to implement the same because we have few components which perform the file upload/download/manipulation operations like DMS, Execution..etc. which will get impacted if we use readOnlyFile System.


PodSecurityContext->runAsNonRoot 

Prevents running a container with ‘root’ user as part of the pod. 

We can implement the same. But podSecurityContext overrides the security context defined at container level.


Sample YAML file

PFB a sample YAML file for a component. The same can be applied to all other components.
bff.yaml

apiVersion: v1

kind: Service

metadata:

  name: bff

  namespace: appveensit

spec:

  type: ClusterIP

  selector:

    app: bff

  ports:

    - protocol: TCP

      port: 80

      targetPort: 11011

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: bff

  namespace: appveensit

spec:

  replicas: 1

  selector:

    matchLabels:

      app: bff

  template:

    metadata:

      labels:

        app: bff

    spec:

      containers:

        - name: bff

          image: my-registry-name:8000/bff:sit5

          imagePullPolicy: Always

          ports:

            - containerPort: 11011

          envFrom:

          - configMapRef:

              name: config

          readinessProbe:

            httpGet:

              path: /api/v1/healthCheck

              port: 11011

              scheme: HTTP

            initialDelaySeconds: 5

            periodSeconds: 10

          securityContext:

            runAsUser: 2000

            capabilities:

              add: ["NET_ADMIN", "SYS_TIME"]

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article