$ kubectl explain pod.spec.securityContext
KIND: Pod
VERSION: v1
RESOURCE: securityContext <Object>
DESCRIPTION:
SecurityContext holds pod-level security attributes and common container
settings. Optional: Defaults to empty. See type description for default
values of each field.
PodSecurityContext holds pod-level security attributes and common container
settings. Some fields are also present in container.securityContext. Field
values of container.securityContext take precedence over field values of
PodSecurityContext.
FIELDS:
fsGroup <integer>
A special supplemental group that applies to all containers in a pod. Some
volume types allow the Kubelet to change the ownership of that volume to be
owned by the pod:
1. The owning GID will be the FSGroup 2. The setgid bit is set (new files
created in the volume will be owned by FSGroup) 3. The permission bits are
OR'd with rw-rw----
If unset, the Kubelet will not modify the ownership and permissions of any
volume.
fsGroupChangePolicy <string>
fsGroupChangePolicy defines behavior of changing ownership and permission
of the volume before being exposed inside Pod. This field will only apply
to volume types which support fsGroup based ownership(and permissions). It
will have no effect on ephemeral volume types such as: secret, configmaps
and emptydir. Valid values are "OnRootMismatch" and "Always". If not
specified defaults to "Always".
runAsGroup <integer>
The GID to run the entrypoint of the container process. Uses runtime
default if unset. May also be set in SecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence for that container.
runAsNonRoot <boolean>
Indicates that the container must run as a non-root user. If true, the
Kubelet will validate the image at runtime to ensure that it does not run
as UID 0 (root) and fail to start the container if it does. If unset or
false, no such validation will be performed. May also be set in
SecurityContext. If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence.
runAsUser <integer>
The UID to run the entrypoint of the container process. Defaults to user
specified in image metadata if unspecified. May also be set in
SecurityContext. If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence for that container.
seLinuxOptions <Object>
The SELinux context to be applied to all containers. If unspecified, the
container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in both
SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence for that container.
seccompProfile <Object>
The seccomp options to use by the containers in this pod.
supplementalGroups <[]integer>
A list of groups applied to the first process run in each container, in
addition to the container's primary GID. If unspecified, no groups will be
added to any container.
sysctls <[]Object>
Sysctls hold a list of namespaced sysctls used for the pod. Pods with
unsupported sysctls (by the container runtime) might fail to launch.
windowsOptions <Object>
The Windows specific settings applied to all containers. If unspecified,
the options within a container's SecurityContext will be used. If set in
both SecurityContext and PodSecurityContext, the value specified in
SecurityContext takes precedence.
Last active
November 30, 2021 13:48
-
-
Save torstenwalter/46322607b62c733c59dccd8bae9455f8 to your computer and use it in GitHub Desktop.
Secure applications running on Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: nginx-deployment | |
labels: | |
app: nginx | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
app: nginx | |
template: | |
metadata: | |
labels: | |
app: nginx | |
spec: | |
containers: | |
- name: nginx | |
image: nginx:1.14.2 | |
ports: | |
- containerPort: 80 |
$ kubectl explain pod.spec.containers.securityContext.privileged
KIND: Pod
VERSION: v1
FIELD: privileged <boolean>
DESCRIPTION:
Run container in privileged mode. Processes in privileged containers are
essentially equivalent to root on the host. Defaults to false.
kubectl explain pod.spec.containers.securityContext.readOnlyRootFilesystem
KIND: Pod
VERSION: v1
FIELD: readOnlyRootFilesystem <boolean>
DESCRIPTION:
Whether this container has a read-only root filesystem. Default is false.
$ kubectl explain pod.spec.securityContext
$ kubectl explain pod.spec.containers.securityContext
$ kubectl explain pod.spec.initContainers.securityContext
$ kubectl explain pod.spec.ephemeralContainers.securityContext
option | pod | container | initContainer | ephemeralContainers |
---|---|---|---|---|
allowPrivilegeEscalation | - | x | x | x |
capabilities | - | x | x | x |
fsGroup | x | - | - | - |
fsGroupChangePolicy | x | - | - | - |
privileged | - | x | x | x |
procMount | - | x | x | x |
readOnlyRootFilesystem | - | x | x | x |
runAsGroup | x | x | x | x |
runAsNonRoot | x | x | x | x |
runAsUser | x | x | x | x |
seLinuxOptions | x | x | x | x |
seccompProfile | x | x | x | x |
supplementalGroups | x | - | - | - |
sysctls | x | - | - | - |
windowsOptions | x | x | x | x |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment