PodSecurityContext
Definition
PodSecurityContext is a Kubernetes configuration object that defines security settings for a Pod, influencing how containers within the Pod are executed. It allows administrators to specify security-related attributes such as user and group IDs, Linux capabilities, and SELinux options. These settings help enforce security policies at the Pod level, ensuring that containers run with the least privilege necessary.
Secure Settings Example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: secure-container
image: nginx
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
Insecure Settings Example
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: insecure-container
image: nginx
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- NET_ADMIN
- SYS_TIME