Difference between revisions of "Kubernetes securityContext"
Jump to navigation
Jump to search
| (15 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
A security context defines privilege and access control settings for a [[Pod]] or [[Container]]. | A security context defines privilege and access control settings for a [[Pod]] or [[Container]]. | ||
| − | The <code>[[securityContext]]</code> field is a <code>[[PodSecurityContext]]</code> object. | + | The <code>[[securityContext]]</code> field is a <code>[[PodSecurityContext]]</code> [[object]]. |
| − | *https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | + | * https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| + | * https://jamesdefabia.github.io/docs/user-guide/security-context/ | ||
| + | * https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context | ||
| − | ==Example== | + | [[kind: Pod]] |
| + | [[kind: Deployment]] | ||
| + | |||
| + | == Example == | ||
* <code>pods/security/security-context.yaml</code> | * <code>pods/security/security-context.yaml</code> | ||
| − | + | [[apiVersion]]: v1 | |
| − | kind: Pod | + | [[kind: Pod]] |
| − | metadata: | + | metadata: |
| − | + | name: security-context-demo | |
| − | spec: | + | [[spec:]] |
| − | + | [[securityContext:]] | |
| − | + | [[runAsUser:]] 1000 | |
| − | + | [[runAsGroup:]] 3000 | |
| − | + | fsGroup: 2000 | |
| − | + | volumes: | |
| − | + | - name: sec-ctx-vol | |
| − | + | emptyDir: {} | |
| − | + | containers: | |
| − | + | - name: sec-ctx-demo | |
| − | + | image: busybox | |
| − | + | command: [ "sh", "-c", "sleep 1h" ] | |
| − | + | volumeMounts: | |
| − | + | - name: sec-ctx-vol | |
| − | + | mountPath: /data/demo | |
| − | + | securityContext: | |
| − | + | allowPrivilegeEscalation: false | |
== Related terms == | == Related terms == | ||
| Line 34: | Line 39: | ||
* [[CKA v1.18]]: [[Define security contexts]] | * [[CKA v1.18]]: [[Define security contexts]] | ||
* [[CKA v1.15]]: Understand SecurityContexts | * [[CKA v1.15]]: Understand SecurityContexts | ||
| + | * <code>[[RunAsUser:]]</code> | ||
== Activities == | == Activities == | ||
* Understand <code>SecurityContext</code> field in the [[Pod specification]]. | * Understand <code>SecurityContext</code> field in the [[Pod specification]]. | ||
| − | |||
== See also == | == See also == | ||
* {{CKA}} | * {{CKA}} | ||
| − | * {{K8s}} | + | * {{K8s security}} |
| − | |||
[[Category:K8s]] | [[Category:K8s]] | ||
[[Category:CKA]] | [[Category:CKA]] | ||
Latest revision as of 14:23, 27 November 2023
A security context defines privilege and access control settings for a Pod or Container.
The securityContext field is a PodSecurityContext object.
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- https://jamesdefabia.github.io/docs/user-guide/security-context/
- https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
kind: Pod kind: Deployment
Contents
Example[edit]
pods/security/security-context.yaml
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: busybox command: [ "sh", "-c", "sleep 1h" ] volumeMounts: - name: sec-ctx-vol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false
Related terms[edit]
- CKA v1.21: Understand SecurityContexts:
securityContext(Pod) - CKA v1.18: Define security contexts
- CKA v1.15: Understand SecurityContexts
RunAsUser:
Activities[edit]
- Understand
SecurityContextfield in the Pod specification.
See also[edit]
- CKA: v1.28: API, Namespace, Pods, secrets, Services, deployments, nodes, Volumes, Ingress, CKS
- Kubernetes security, OPA, EKS security, PSA, PSS, CKS,
SecurityContext, Trivy, KubeBench, Kubernetes Admission Controllersadmissionregistration.k8s.io, Hardeneks, Gatekeeper (Kubernetes),kubernetes.io/enforce-mountable-secrets, Auditing
Advertising:
