July 2019
Intermediate to advanced
502 pages
14h
English
Content preview from Hands-On Microservices with Kubernetes
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Implementing security contexts
Sometimes, pods and containers need escalated privileges or access to the node. This will be very rare for your application workloads. However, when necessary, Kubernetes has the concept of a security context that encapsulates and allows you to configure multiple Linux security concepts and mechanisms. This is critical from a security perspective because you open up a tunnel out of the container world into the host machine.
Here is a list of some mechanisms that are covered by security contexts:
- Allowing (or forbidding) privilege escalation
- Access control via user IDs and group IDs (runAsUser, runAsGroup)
- Capabilities as opposed to unrestricted root access
- Using AppArmor and seccomp profiles
- SELinux configuration ...