Difference between revisions of "Spec.securityContext"

spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000

spec:
 securityContext:
   runAsNonRoot: true

Examples

 apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox:1.28
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

Errors

• Error: container's runAsUser breaks non-root policy

Related

• Kubernetes changelog: AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext
• Configure a Security Context for a Pod or Container: kind: Pod

See also

• spec.securityContext, spec.securityContext.runAsUser, spec.securityContext.fsGroup
• kind: Pod: spec.containers, spec.initContainers, spec.volumes, spec.securityContext
• Kubernetes security, OPA, EKS security, PSA, PSS, CKS, SecurityContext, Trivy, KubeBench, Kubernetes Admission Controllers admissionregistration.k8s.io, Hardeneks, Gatekeeper (Kubernetes), kubernetes.io/enforce-mountable-secrets, Auditing