runAsUser: 1000 means all containers in the pod will run as user UID 1000. fsGroup: 2000 means the owner for mounted volumes and any files created in that volume will be GID 2000.... read more ›
fsGroup — The field defines a special supplemental group that assigns a group ID (GID) for all containers in the pod. Also, this group ID is associated with the emptyDir volume mounted at /data/test and with any files created in that volume.... read more ›
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).... continue reading ›
SELinux is a policy driven system to control access to applications, processes and files on a Linux system. It implements the Linux Security Modules framework in the Linux kernel. SELinux is based on the concept of labels.... read more ›
readOnlyRootFilesystem is one setting that controls whether a container is able to write into its filesystem. It's a feature most want enabled in the event of a hack - if an attacker gets in, they won't be able to tamper with the application or write foreign executables to disk.... read more ›
The Kubernetes Pod SecurityContext provides two options runAsNonRoot and runAsUser to enforce non root users. You can use both options separate from each other because they test for different configurations. When you set runAsNonRoot: true you require that the container will run with a user with any UID other than 0.... view details ›
The supplementalGroups IDs are typically used for controlling access to shared storage, such as NFS and GlusterFS, whereas fsGroup is used for controlling access to block storage, such as Ceph RBD and iSCSI.... see more ›
- You have enabled the api type extensions/v1beta1/podsecuritypolicy (only for versions prior 1.6)
- You have enabled the admission controller PodSecurityPolicy.
- You have defined your policies.
net_bind_service. This one's easy. If you have this capability, you can bind to privileged ports (e.g., those below 1024). If you want to bind to a port below 1024 you need this capability. If you are running a service that listens to a port above 1024 you should drop this capability.... read more ›
Running a pod in a privileged mode means that the pod can access the host's resources and kernel capabilities. You can turn a pod into a privileged one by setting the privileged flag to `true` (by default a container is not allowed to access any devices on the host).... see details ›