BRIX On-Premises / BRIX On-Premises Enterprise / BRIX Enterprise advanced settings / Security settings for containers and pods

Security settings for containers and pods

The Security Context tool in Kubernetes specifies security parameters for pods and containers, including the user name for running processes, what permissions this user has, what system calls can be executed, etc.

This article covers how to configure the parameters:

  • securityContext for a specific container inside a pod.
  • podSecurityContext for the whole pod and all containers inside it.

How to configure the securityContext parameter

The securityContext parameter defines security settings for a specific container inside the pod.

You can configure this parameter in the values-elma365.yaml file. In the .Values.global.securityContext field, set values, for example:

global:
securityContext:
  runAsUser: 1000
  seccompProfile:
    type: RuntimeDefault

Where:

  • runAsUser is the UID inside the container, on behalf of which processes in this container are started.
  • seccompProfile.type is the seccomp profile to restrict system calls inside the container: opening files, creating processes, etc. This example uses the RuntimeDefault value which provides a basic level of security.

Once the parameter is configured, apply it as described in the Modify BRIX Enterprise parameters article.

Default values for the securityContext parameter

If you do not specify a value for the parameter, the default settings apply:

runAsUser: 1001
seccompProfile:
 type: RuntimeDefault

How to configure the podSecurityContext parameter

The podSecurityContext parameter specifies security settings for the entire pod. They affect all containers within it.

You can configure this parameter in the values-elma365.yaml file. In the .Values.global.podSecurityContext field, set values such as:

global:
 podSecurityContext:
   runAsUser: 1000
   seccompProfile:
     type: RuntimeDefault

Where:

  • runAsUser is the UID on behalf of which all processes in the pod are started.
  • seccompProfile.type is the seccomp profile for the entire pod. This example uses the RuntimeDefault value which provides a basic level of security.

Once the parameter is configured, apply it as described in the Modify BRIX Enterprise parameters article.

Default values for the podSecurityContext parameter

If you do not specify values for the parameter, the default settings apply:

runAsUser: 1001
seccompProfile:
 type: RuntimeDefault