Kubernetes - Set the security context for a Pod

  To specify security settings for a Pod, include the securityContext field in the Pod specification. The securityContext field is a PodSecurityContext object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext and an emptyDir volume:

Without Security Context :

apiVersion: apps/v1

kind: Deployment

metadata:

  name: busybox-nosc

  namespace: demo

spec:

  replicas: 1

  selector:

   matchLabels:

     test: app

  template:

    metadata:

      labels:

        test: app

    spec:

     containers:

     - name: busybox-con

       image: busybox

       args:

       - /bin/sh

       - -c

       - touch /tmp/healthy; sleep 60; rm -rf /tmp/healthy; sleep 600

       volumeMounts:

       - name: sec-volume

         mountPath: /data/demo

     volumes:

     - name: sec-volume

       emptyDir: {}


Security Context on Pod level


kind: Deployment

metadata:

  name: busybox-nosc

  namespace: demo

spec:

  replicas: 1

  selector:

   matchLabels:

     test: app

  template:

    metadata:

      labels:

        test: app

    spec:

     containers:

     - name: busybox-con

       image: busybox

       args:

       - /bin/sh

       - -c

       - touch /tmp/healthy; sleep 60; rm -rf /tmp/healthy; sleep 600

       volumeMounts:

       - name: sec-volume

         mountPath: /data/demo

     volumes:

     - name: sec-volume

       emptyDir: {}

     securityContext:

       runAsUser: 1000

       runAsGroup: 3000

       fsGroup: 2000


Security Context on container level


kind: Deployment
metadata:
  name: busybox-nosc
  namespace: demo
spec:
  replicas: 1
  selector:
   matchLabels:
     test: app
  template:
    metadata:
      labels:
        test: app
    spec:
     containers:
     - name: busybox-con
       image: busybox
       args:
       - /bin/sh
       - -c
       - touch /tmp/healthy; sleep 60; rm -rf /tmp/healthy; sleep 600
       volumeMounts:
       - name: sec-volume
         mountPath: /data/demo
       securityContext:
         runAsUser: 5000
         runAsGroup: 6000

     volumes:
     - name: sec-volume
       emptyDir: {}
     securityContext:
       runAsUser: 1000
       runAsGroup: 3000
       fsGroup: 2000

Comments

Popular posts from this blog

Terraform

Different Types of Reports in Scrum - Agile

Scrum Master Interview help - Bootcamp