4
KCAD Prep Part 5 – Kubernetes SecurityContexts - briansdevblog
source link: https://www.briansdevblog.com/2021/05/kcad-prep-part-5-kubernetes-securitycontexts/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Kubernetes SecurityContext
A
SecurityContext
SecurityContext
is a Kubernetes object, defined as part of the Pod
spec, that describes the privileges and access control settings for a Pod
. The primary settings for a SecurityContext
SecurityContext
are
- runAsUser
runAsUser
– allows you to run containers as a specified user - runAsGroup
runAsGroup
– allows you to run containers as a specified group - fsGroup
fsGroup
allows you to run containers with and a specific file system group
These settings can be applied at the Pod
or container level. If applied at the Pod
level the settings will apply to all containers in the Pod
. If the
SecurityContext
SecurityContext
is defined at both the Pod
and container level, the container level SecurityContext
SecurityContext
will take precedence.
Below is a sample Pod
definition with a
SecurityContext
SecurityContext
defined.
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-context-volume
emptyDir: {}
containers:
- name: sec-context-demo-container
image: busybox
command: [ "sh", "-c", "sleep 3600" ]
volumeMounts:
- name: sec-context-volume
mountPath: /data/demo
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 volumes: - name: sec-context-volume emptyDir: {} containers: - name: sec-context-demo-container image: busybox command: [ "sh", "-c", "sleep 3600" ] volumeMounts: - name: sec-context-volume mountPath: /data/demo
Create the above Pod
by running
kubectl apply -f securitycontext-demo.yml
kubectl apply -f securitycontext-demo.yml
from the sample code.
Once the Pod
is created you can exec into the running container with
kubectl exec -it security-context-demo -- sh
kubectl exec -it security-context-demo -- sh
. Run ps
to list the processes and the users running those processes. You’ll see that the sh
and sleep 3600
sleep 3600
commands were run by user 1000
, as specified by the runAsUser
runAsUser
attribute.
cd data/demo
cd data/demo
and create a test file with echo test >> testfile
echo test >> testfile
. Run ls -l
and you’ll see that user 1000
owns the file and it belongs to group 2000
. This corresponds to the values set in runAsUser
runAsUser
and fsGroup
fsGroup
respectively.
Finally, running id
displays the users ID (1000), their primary Group ID (3000) and supplementary groups they belong to (2000).
The sample code for these notes is available here.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK