rootless mode
Definition
Rootless mode refers to the ability to run containerized applications without requiring root privileges on the host system. This enhances security by minimizing the risk of privilege escalation attacks, as containers operate with user-level permissions. Rootless mode is particularly useful in environments where granting root access is undesirable or prohibited, ensuring that even if a container is compromised, the host system remains protected.
Secure Settings Example
# Example of a Kubernetes PodSecurityContext for a rootless container
apiVersion: v1
kind: Pod
metadata:
name: rootless-pod
spec:
securityContext:
runAsUser: 1000 # Non-root user ID
runAsGroup: 1000 # Non-root group ID
containers:
- name: rootless-container
image: example/rootless-image:latest
securityContext:
allowPrivilegeEscalation: false
Insecure Settings Example
# Example of a Kubernetes PodSecurityContext with root privileges
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
securityContext:
runAsUser: 0 # Root user ID
containers:
- name: insecure-container
image: example/insecure-image:latest
securityContext:
allowPrivilegeEscalation: true