☸️Kubernetes Pod Security Context Labs

🎯 Objective

Learn to secure Kubernetes workloads using securityContext and podSecurityContext for least-privilege container execution.

🧰 Prerequisites

Kubernetes cluster (Minikube, kind, etc.)
kubectl configured
Permissions to deploy workloads

🔹 Lab 1: Run a Pod as a Non-Root User

# non-root-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: non-root-pod
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
  - name: app
    image: busybox
    command: ["sh", "-c", "id && sleep 3600"]

kubectl apply -f non-root-pod.yaml
kubectl logs non-root-pod

✅ Pod runs as a non-root user with specific UID/GID.

🔹 Lab 2: Set a Read-Only Root Filesystem

# readonly-rootfs.yaml
apiVersion: v1
kind: Pod
metadata:
  name: readonly-pod
spec:
  containers:
  - name: app
    image: busybox
    command: ["sh", "-c", "touch /test || echo 'cannot write' && sleep 3600"]
    securityContext:
      readOnlyRootFilesystem: true

kubectl apply -f readonly-rootfs.yaml
kubectl logs readonly-pod

✅ Container cannot write to the root filesystem.

🔹 Lab 3: Drop Linux Capabilities

# drop-capabilities.yaml
apiVersion: v1
kind: Pod
metadata:
  name: drop-caps-pod
spec:
  containers:
  - name: app
    image: busybox
    command: ["sh", "-c", "ping -c 1 127.0.0.1 || echo 'ping failed' && sleep 3600"]
    securityContext:
      capabilities:
        drop: ["ALL"]

kubectl apply -f drop-capabilities.yaml
kubectl logs drop-caps-pod

✅ Dropping capabilities prevents privileged operations like ping.

🔹 Lab 4: Disable Privilege Escalation

# no-priv-escalation.yaml
apiVersion: v1
kind: Pod
metadata:
  name: no-priv-escalation
spec:
  containers:
  - name: app
    image: busybox
    command: ["sh", "-c", "sleep 3600"]
    securityContext:
      allowPrivilegeEscalation: false

kubectl apply -f no-priv-escalation.yaml

✅ Prevents processes in the container from gaining additional privileges.

🔹 Lab 5: A really Pod Security Context

Key Security Fields

Field

Default

Recommended

Reason

automountServiceAccountToken

true

false

Avoid exposing API token

hostNetwork

false

Prevent network namespace escape

hostPID

false

Prevent process visibility

hostIPC

false

Prevent shared memory abuse

readOnlyRootFilesystem

N/A

true

Block writes to /

seccompProfile

N/A

RuntimeDefault

Prevent unwanted syscalls

✅ Even if some defaults are false, you should set them explicitly to:

Document intent
Satisfy policies (e.g., PodSecurityAdmission restricted)
Prevent accidental future changes

Step 1: Define a really Secure Pod Specification

# secure-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  automountServiceAccountToken: false
  hostNetwork: false
  hostPID: false
  hostIPC: false
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: secure-container
    image: busybox
    command: ["sh", "-c", "id && sleep 3600"]
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: ["ALL"]

✅ This Pod enforces:

Disable token mounting as the application does not need to call the Kubernetes API
Ensures pod is not sharing the host network namespace
Prevents access to host process namespace
Prevents access to host IPC namespace
Non-root user (UID 1000)
Sets the group ID (GID 3000) for the primary group of the container process
No privilege escalation
No added capabilities
Read-only root filesystem
Ensures that the container has group access (GID 2000) to the mounted files
Seccomp isolation

Step 2: Apply and Verify the Secure Pod

kubectl apply -f secure-pod.yaml
kubectl get pod secure-pod
kubectl exec secure-pod -- id

✅ The output should show non-root UID/GID.

Step 3: Test File System Protection

Try writing to the root filesystem:

kubectl exec secure-pod -- touch /testfile

❌ Expected: Operation not permitted (due to readOnlyRootFilesystem)

✅ Summary

✅ Deployed the most secure possible Pod using native features
✅ Blocked privilege escalation and system-level access
✅ Followed all best practices explicitly for compliance and clarity

🔹 Lab 6: Clean Up

kubectl delete pod non-root-pod readonly-pod drop-caps-pod no-priv-escalation pod secure-pod

✅ Wrap-Up

✅ Ran containers as non-root users
✅ Made root filesystems read-only
✅ Dropped unnecessary Linux capabilities
✅ Prevented privilege escalation
✅ Followed best practices for secure workload execution

PreviousKubernetes RBAC Labs NextKubernetes Pod Security Admission Labs

Last updated 10 months ago

hashtag🎯 Objective

hashtag🧰 Prerequisites

hashtag🔹 Lab 1: Run a Pod as a Non-Root User

hashtag🔹 Lab 2: Set a Read-Only Root Filesystem

hashtag🔹 Lab 3: Drop Linux Capabilities

hashtag🔹 Lab 4: Disable Privilege Escalation

hashtag🔹 Lab 5: A really Pod Security Context

hashtagKey Security Fields

hashtagStep 1: Define a really Secure Pod Specification

hashtagStep 2: Apply and Verify the Secure Pod

hashtagStep 3: Test File System Protection

hashtag✅ Summary

hashtag🔹 Lab 6: Clean Up

hashtag✅ Wrap-Up

🎯 Objective

🧰 Prerequisites

🔹 Lab 1: Run a Pod as a Non-Root User

🔹 Lab 2: Set a Read-Only Root Filesystem

🔹 Lab 3: Drop Linux Capabilities

🔹 Lab 4: Disable Privilege Escalation

🔹 Lab 5: A really Pod Security Context

Key Security Fields

Step 1: Define a really Secure Pod Specification

Step 2: Apply and Verify the Secure Pod

Step 3: Test File System Protection

✅ Summary

🔹 Lab 6: Clean Up

✅ Wrap-Up