All Products
Search
Document Center

Configure a security context

Last Updated: Apr 20, 2021

This topic describes how to configure a security context and define permissions and access control settings for a pod or container.

Background information

Security contexts are used to define permissions and access control settings for pods or containers. Security context settings include Discretionary Access Control, SELinux, and Linux Capabilities. For more information, see Configure a Security Context for a Pod or Container.

Kubernetes provides two methods to configure security contexts:

  • Pod Security Context

    Configure a security context for a pod. The configured security context applies to all the containers and volumes in the pod.

    Elastic Container Instance allows you to modify the sysctl and runAsUse parameters when you configure a security context for a pod.

  • Container Security Context

    Configure a security context for a container. The configured security context applies to the container.

    Elastic Container Instance allows you to modify the sysctl and runAsUse parameters when you configure a security context for a container.

Note

Kubernetes uses pod security policies to verify and restrict the security contexts of pods. If the security context of a pod to be created does not meet the constraints of the specified pod security policy, the pod cannot be created. For more information, see Pod Security Policies.

If you use Container Service for Kubernetes (ACK) or Serverless Kubernetes (ASK), a pod security policy named ack.privileged is used by default. For more information, see Use pod security policies.

Configure a security context for a pod

In Linux, you can modify runtime kernel parameters by using the sysctl interface. You can view the kernel parameters of an elastic container instance by using the following command. For more information, see sysctl.sh.

sysctl -a

You can modify the sysctl and runAsUse parameters when you configure a security context for a pod.

The following sysctl parameters can be modified in Elastic Container Instance:

  • kernel.shm * (except kernel.shm_rmid_forced)

  • kernel.msg*

  • kernel.sem

  • fs.mqueue.*

  • net.* (except net.ipv4.ip_local_port_range and net.ipv4.tcp_syncookies)

Warning

To avoid instability in the operating system, you must fully understand the impacts of sysctl parameter modifications before you proceed.

Sample code:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"
    - name: kernel.msgmax
      value: "65536"
  containers:
  - name: busybox
    image: busybox
    command: [ "sh", "-c", "sleep 12000" ]

Configure a security context for a container

You can configure a security context for a specified container.

Note

You must specify some parameters such as runAsUse regardless of whether you configure a security context for a pod or for a container. The parameter settings in the security context of a container override those in the security context of the pod to which the container belongs to take effect on the container.

The following table lists the parameters supported by Elastic Container Instance.

Parameter

Description

runAsUse

The ID of the user that runs the container. The parameter settings override the USER command in the Dockerfile.

capabilities

The permissions granted to processes in the container. For more information, see Linux capabilities.

Only the NET_ADMIN and NET_RAW parameters are supported. By default, NET_RAW is not supported. To use it, submit a ticket.

The following table lists some parameters that are not supported and the default values of the parameters.

Parameter

Description

privileged

Specifies whether to run the container in privileged mode. Default value: false.

AllowedProcMountTypes

The allowed proc mount types for the container. Default value: DefaultProcMount.

readOnlyRootFilesystem

Species whether the root file system that the container runs is read-only. Default value: true.

Example:

By default, containers do not have the NET_ADMIN permission. If network-related operations are performed in a container, an error message is returned.SecurityContext1

You can configure the security context for the container and modify the capabilities parameter to add the NET_ADMIN permission. The following sample code provides an example on how to add the NET_ADMIN permission by modifying the capabilities parameter in the YAML file:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["sh", "-c", "sleep 12000"]
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]   

After the permission is added, network-related operations can be performed in the container.SecurityContext2