search

6.4.Kubernetes Pod Security Context

This deploys the demo application to Kubernetes using pod security context to enforce that the docker container must run unprivileged using non-root user.

hashtag
Deploy the root application

The corresponding container image is pulled from andifalk/hello-rootarrow-up-right docker hub repository.

Please note that this container is not allowed to run as root any more!

There is also a specification for resource limits (the container is only allowed to access the given cpu and memory).

For java this only works with container aware JDK versions like OpenJDK 8u192 or above. To achieve the best results for resource limiting you have to use Java 11. With using older java versions the java vm inside the container will just grab the whole memory and cpu resources of the host system and will probably be just killed by Kubernetes.

The application is deployed using the following deployment yaml file k8s/deploy_denied.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: hello-security-ctx-deny
  name: hello-security-ctx-deny
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-security-ctx-deny
  template:
    metadata:
      labels:
        app: hello-security-ctx-deny
    spec:
      automountServiceAccountToken: false
      securityContext:
        runAsNonRoot: true
      containers:
      - image: andifalk/hello-root:latest
        name: hello-security-ctx-deny
        resources:
          limits:
            cpu: "1"
            memory: "512Mi"
          requests:
            cpu: "0.5"
            memory: "256Mi"
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          privileged: false
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
        readinessProbe:
          httpGet:
            path: /
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          httpGet:
            path: /actuator/health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 5
        volumeMounts:
          - name: tmp-volume
            mountPath: /tmp
      restartPolicy: Always
      volumes:
        - name: tmp-volume
          emptyDir: {}

hashtag
Deploy the rootless application

The corresponding container image is pulled from andifalk/hello-rootless-jibarrow-up-right docker hub repository.

The application is deployed using the following deployment yaml file k8s/deploy.yaml:

Please note that this container is now running using a non-root user now and kubernetes also does enforce a non-root user now!

hashtag
Deploy the application using Pod Security Context

Now to deploy our application use these commands:

This deploys the rootless image build using the openjdk base image.

Now this should successfully be deployed as the container is non-root and therefore is compliant to the pod security context.

Now you can prove that this container does not run with root by using kubeauditarrow-up-right again.

This time only the info line should appear in the result:

You can also check for a lot of other security relevant things by using:

hashtag
Next

Next: K8s Pod Security Policyarrow-up-right

Previous6.3.Kubernetes DeploymentNext6.5.Kubernetes Pod Security Policies

Last updated