Minimize downtime from code errors

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Kubernetes Security Context in Deployments - Control Pod Security

Learn how to configure Kubernetes Security Context in Deployments to control pod and container security settings, including privileged access and capabilities.

Kubernetes Security Context in Deployments

This document demonstrates how to configure the securityContext field within a Kubernetes Deployment to enhance pod and container security. The example below shows a Deployment for a Docker-in-Docker (dind) service, which requires elevated privileges.

Understanding Security Context

The securityContext allows you to define privilege and access control settings for a Pod or a Container. This is crucial for enforcing the principle of least privilege and securing your applications running in Kubernetes.

Configuring Privileged Containers

In this example, the privileged: true setting within the container's securityContext grants the container almost all the same capabilities as processes running on the host. This is often necessary for specific workloads like Docker-in-Docker, but should be used with extreme caution due to the security implications.

Example Deployment with Security Context

The following YAML defines a Deployment for a dind service. Pay close attention to the securityContext block within the container specification.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dind
  labels:
    app: dind
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dind
  template:
    metadata:
      labels:
        app: dind
    spec:
      containers:
      - name: dind-daemon
        image: docker:stable-dind
        resources:
          limits:
            cpu: "1"
            memory: "512Mi"
          requests:
            cpu: 500m
            memory: "128Mi"
        securityContext:
          privileged: true
        volumeMounts:
          - name: docker-graph-storage
            mountPath: /var/lib/docker
          - name: docker-socket-dir
            mountPath: /var/run
      volumes:
        - name: docker-graph-storage
          emptyDir: {}
        - name: docker-socket-dir
          emptyDir: {}

Key SecurityContext Fields

  • privileged: true/false: When set to true, the container runs in privileged mode.
  • capabilities: Allows fine-grained control over Linux capabilities.
  • runAsUser: The UID to run the entrypoint of the container.
  • runAsGroup: The GID to run the entrypoint of the container.
  • readOnlyRootFilesystem: true/false: Mounts the container's root filesystem as read-only.

Best Practices for Security Context

Always strive to grant the minimum necessary privileges. Avoid using privileged: true unless absolutely essential. Explore the capabilities field for more granular control over container permissions. Regularly review your security contexts to ensure they align with your security policies.

Further Reading

← Back to kubernetes cheatsheets All cheatsheets 🙏  Credits & Acknowledgments