securityContext in kubernetes

 Security contexts in kubernetes is confusing, partly because it uses the same name and appears both in deployment.spec.template.securitycontext and also deployment.spec.template.containers.securitycontext. 

But you will see below in yaml below. So the securitycontext defined in the container level OVERRIDES the security context in the template level. 

Have a look at the yaml below: you'll noticed that we have 2 securitycontext. 

I have provided the link to the docs so you can have some fun there. 



apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      securityContext:
        # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core
        sysctls:
          - name: kernel.shm_rmid_forced
            value: "0"
          - name: net.core.somaxconn  
            value: "1024"
      containers:
      - name: sec-ctx-demo-2
        image: gcr.io/google-samples/node-hello:1.0
        # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core
        securityContext:
          runAsUser: 2000
          allowPrivilegeEscalation: false
          capabilities:
              add: ["NET_ADMIN", "SYS_TIME"]       
         
     

Notice how the first securitycontext comes about and you'll notice we have sysctls configurations.

 template:
    metadata:
      labels:
        app: nginx
    spec:
      securityContext:
        # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core
        sysctls:
          - name: kernel.shm_rmid_forced
            value: "0"
          - name: net.core.somaxconn  
            value: "1024"

Then we have another sections. Hopefully you will be able to see clearly. 

securityContext:
          runAsUser: 2000
          allowPrivilegeEscalation: false
          capabilities:
              add: ["NET_ADMIN", "SYS_TIME"]
           




Comments

Post a Comment

Popular posts from this blog

The specified initialization vector (IV) does not match the block size for this algorithm

Image
If you're getting  exception when trying to assigned key to a symmetric key and getting error message below :- The specified initialization vector (IV) does not match the block size for this algorithm And your code probably look like something below :- Then you need to go into debug mode and start looking into the supported size for IV as shown in diagram below :- As you can see, IV is 16 bytes, so you need to provide 16 bytes. The same goes for Key field too, if you're adding anything to it. As long as you provide a valid key size, then we're good and you're code will be ready.
Read more