The Security Context tool in Kubernetes specifies security parameters for pods and containers, including the user name for running processes, what permissions this user has, what system calls can be executed, etc.
This article covers how to configure the parameters:
securityContext
for a specific container inside a pod.podSecurityContext
for the whole pod and all containers inside it.
How to configure the securityContext parameter
The securityContext
parameter defines security settings for a specific container inside the pod.
You can configure this parameter in the values-
file. In the .Values.global.securityContext
field, set values, for example:
global:
securityContext:
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Where:
runAsUser
is the UID inside the container, on behalf of which processes in this container are started.seccompProfile.type
is theseccomp
profile to restrict system calls inside the container: opening files, creating processes, etc. This example uses theRuntimeDefault
value which provides a basic level of security.
Once the parameter is configured, apply it as described in the Modify BRIX Enterprise parameters article.
Default values for the securityContext parameter
If you do not specify a value for the parameter, the default settings apply:
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
How to configure the podSecurityContext parameter
The podSecurityContext
parameter specifies security settings for the entire pod. They affect all containers within it.
You can configure this parameter in the values-
file. In the .Values.global.podSecurityContext
field, set values such as:
global:
podSecurityContext:
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Where:
runAsUser
is the UID on behalf of which all processes in the pod are started.seccompProfile.type
is theseccomp
profile for the entire pod. This example uses theRuntimeDefault
value which provides a basic level of security.
Once the parameter is configured, apply it as described in the Modify BRIX Enterprise parameters article.
Default values for the podSecurityContext parameter
If you do not specify values for the parameter, the default settings apply:
runAsUser: 1001
seccompProfile:
type: RuntimeDefault