Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
When specifying the security context of a Pod you can use several attributes. From a defensive security point of view you should consider:
To have runASNonRoot as True
To configure runAsUser
If possible, consider limiting permissions indicating seLinuxOptions and seccompProfile
Do NOT give privilege group access via runAsGroup and supplementaryGroups
This context is set inside the containers definitions. From a defensive security point of view you should consider:
allowPrivilegeEscalation to False
Do not add sensitive capabilities (and remove the ones you don't need)
privileged to False
If possible, set readOnlyFilesystem as True
Set runAsNonRoot to True and set a runAsUser
If possible, consider limiting permissions indicating seLinuxOptions and seccompProfile
Do NOT give privilege group access via runAsGroup.
Note that the attributes set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as Privileged or has CAP_SYS_ADMIN |
The capabilities to add/drop when running containers. Defaults to the default set of capabilities. |
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. |
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. |
Whether this container has a read-only root filesystem. Default is false. |
The GID to run the entrypoint of the container process. Uses runtime default if unset. |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. |
The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. |
The seccomp options to use by this container. |
The Windows specific settings applied to all containers. |
A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume |
This defines behavior of changing ownership and permission of the volume before being exposed inside Pod. |
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |
The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. |
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. |
The seccomp options to use by the containers in this pod. |
A list of groups applied to the first process run in each container, in addition to the container's primary GID. |
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. |
The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. |
boolean
More info about Capabilities
boolean
string
boolean
integer
boolean
integer
More info about seLinux
integer
string
integer
boolean
integer
More info about seLinux
More info about Seccomp
integer array
array More info about
