Exploring Kubernetes SecurityContext Configurations

The securityContext field in Kubernetes Pod and Container specifications is a powerful tool for defining security settings at the pod or individual container level. This field manages access permissions and controls security-sensitive aspects of the container runtime environment. Below, we break down some specific configurations within securityContext, explain their usage, and discuss the security outcomes they achieve.

1. Disallowing Privilege Escalation

Configuration:

securityContext:
  allowPrivilegeEscalation: false

Explanation:

  • allowPrivilegeEscalation: false prevents the container from gaining more privileges than its parent process. This setting is crucial for blocking attack vectors that could exploit set-user-ID (SUID) or set-group-ID (SGID) binaries to escalate privileges.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: no-escalation-pod
spec:
  containers:
  - name: non-escalating-container
    image: alpine
    command: ["sh", "-c", "do something"]
    securityContext:
      allowPrivilegeEscalation: false

Security Impact:

  • Prevents the exploitation of certain vulnerabilities within the container, significantly reducing the risk of malicious code gaining root-level privileges on the host or cluster.

2. Enforcing Containers to Run as Non-Root

Configuration:

securityContext:
  runAsNonRoot: true

Explanation:

  • runAsNonRoot: true ensures that the container must run as a non-root user. If the container image specifies a user, or if a user is not specified but the image contains a user, Kubernetes will validate that the user is not UID 0 (root) and fail to start the container if it is.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: nonroot-pod
spec:
  containers:
  - name: nonroot-container
    image: nginx
    securityContext:
      runAsNonRoot: true

Security Impact:

  • Reduces the potential damage and scope of access if the container is compromised, as non-root users have limited permissions compared to root users.

3. Managing Capabilities

Configuration:

securityContext:
  capabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE

Explanation:

  • Capabilities are a set of privileges that can be assigned to processes, allowing finer-grained control than the root/non-root user dichotomy. drop: ALL removes all default capabilities given to a container. add: NET_BIND_SERVICE allows the container to bind to well-known ports (ports below 1024), which are typically reserved for system processes.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: custom-capabilities-pod
spec:
  containers:
  - name: custom-cap-pod
    image: nginx
    securityContext:
      capabilities:
        drop:
          - ALL
        add:
          - NET_BIND_SERVICE

Security Impact:

  • Minimizes the attack surface by removing unnecessary capabilities while only granting the specific capabilities needed for the application to function.

4. Applying SELinux Options

Configuration:

securityContext:
  seLinuxOptions:
    level: "s0:c123,c456"

Explanation:

  • Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system. The level setting specifies the SELinux level for the container. The label format s0:c123,c456 is part of the Multi-Level Security (MLS) policy, where s0 is the sensitivity level and c123,c456 are the category labels.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: selinux-pod
spec:
  containers:
  - name: selinux-container
    image: fedora
    securityContext:
      seLinuxOptions:
        level: "s0:c123,c456"

Security Impact:

  • Enhances the security of the container by enforcing mandatory access controls around resource operations based on SELinux policies, further isolating container processes and mitigating the risk of unauthorized access or privilege escalation.

5. Enabling Privileged Mode

Configuration:

securityContext:
  privileged: true

Explanation:

  • privileged: true grants all capabilities to the container, effectively disabling all security restrictions that are imposed by the container runtime. This is equivalent to running a process as root on the host.

Practice Example:



apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
  - name: privileged-container
    image: ubuntu
    securityContext:
      privileged: true

Security Impact:

  • While this setting provides extensive access and control, it introduces significant security risks by allowing the container to access host resources directly. It should be used sparingly and only when absolutely necessary, such as for managing the host system itself or for containers that need to manage other containers.

6. Disabling Proc Mount Default

Configuration:

securityContext:
  procMount: Default

Explanation:

  • The procMount option controls how the /proc filesystem is mounted in the container. Default uses the container runtime's default settings, which typically mask certain paths to protect against security exposures.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: secure-proc-pod
spec:
  containers:
  - name: secure-proc-container
    image: nginx
    securityContext:
      procMount: Default

Security Impact:

  • Ensures that potentially sensitive /proc entries are not accessible to the container processes, reducing the risk of information disclosure that could be used in attacks.

Additional Resource:

7. Configuring ReadOnlyRootFilesystem

Configuration:

securityContext:
  readOnlyRootFilesystem: true

Explanation:

  • readOnlyRootFilesystem: true makes the root filesystem of the container read-only, preventing any writes to the root filesystem and forcing any write operations to be done to mounted volumes that are explicitly declared writable.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: read-only-fs-pod
spec:
  containers:
  - name: read-only-fs-container
    image: nginx
    securityContext:
      readOnlyRootFilesystem: true
      volumes:
      - name: cache-volume
        emptyDir: {}
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
          readOnly: false

Security Impact:

  • Significantly enhances security by preventing malicious binaries from being written to the filesystem or unexpected changes from being made to system files.

Additional Resource:

8. Enforcing Seccomp Profiles

Configuration:

securityContext:
  seccompProfile:
    type: RuntimeDefault

Explanation:

  • Seccomp (Secure Computing Mode) restricts the system calls that can be made by a process. RuntimeDefault applies the default container runtime profile, which denies system calls that are typically unnecessary and potentially dangerous.

Practice Example:

apiVersion: v1
kind: Pod
metadata:
  name: seccomp-pod
spec:
  containers:
  - name: seccomp-container
    image: nginx
    securityContext:
      seccompProfile:
        type: RuntimeDefault

Security Impact:

  • Reduces the risk of exploits by limiting the kernel surface that containers can interact with, preventing many types of kernel-level vulnerabilities from being exploited.

Additional Resource: