One of the key properties of Linux containerization is the flexibility of the security model, which allows for individual security layers to be modified as required. Although the default settings created by common container runtimes like Docker are fairly good, an important part of improving cluster security is ensuring that these defaults are strengthened as much as possible.

In addition to workloads voluntarily improving their security by setting security contexts, cluster operators can use Kubernetes features like PodSecurityPolicy (https://kubernetes.io/docs/concepts/policy/pod-security-policy/) and other admission controllers such as OPA or Kyverno to ensure that workloads that do not meet their security requirements are not run on the cluster.

It's worth noting that although Kubernetes clusters can include Windows nodes running Windows containers, most of the hardening options available are specific to Linux containers.

Using Security Context in Manifests

Kubernetes provides a number of features that can be used, when applications are being deployed to the cluster, to improve their security. Some of these are likely to be easily deployed with limited impacts, but others will require more preparation to effectively deploy. The mechanisms exposed as part of a security context are largely mirrors of similar features available at the container runtime level.

Setting security contexts in manifests is an important hardening step, particularly ...