A security context defines access control and privilege settings for a pod or container. Use it to control which Linux capabilities are granted, which user runs the container, and which kernel parameters are tuned—scoped to the pod or to individual containers.
ECI supports two levels of security context:
| Level | Scope | Configurable fields |
|---|---|---|
| Pod security context | All containers and volumes in the pod | sysctls, runAsUser |
| Container security context | The specified container only | runAsUser, runAsGroup, runAsNonRoot, privileged, capabilities |
When both levels configure the same field (such as runAsUser), the container security context takes precedence.
For the Kubernetes security context specification, see Configure a security context for a pod or container.
Configure a pod security context
Supported sysctl parameters
In Linux, the sysctl interface lets you modify runtime kernel parameters. Run the following command to view the kernel parameters of an elastic container instance:
sysctl -aFor a reference script, see sysctl.sh.
ECI supports modifying the following sysctl parameters. These parameters are namespaced—they affect only the container's network or IPC namespace and are generally safe to modify:
kernel.shm*kernel.msg*kernel.semfs.mqueue.*net.*(exceptnet.ipv4.tcp_syncookies)vm.min_free_kbytes
Modifying sysctl parameters incorrectly can destabilize the operating system. Understand the impact of each parameter before applying changes. See sysctl(8) for details.
vm.min_free_kbytes: Set this value to no more than 20% of total memory.
To modify host-level sysctl parameters beyond the list above, submit a ticket. After Alibaba Cloud approves the request, add the following annotation to the pod configuration:
k8s.aliyun.com/eci-host-sysctls: '[{"name":"<parameter-name>", "value": "<parameter-value>"}]'Example: configure sysctls
The following YAML modifies net.core.somaxconn and kernel.msgmax using a pod security context. Both parameters belong to the net.* and kernel.msg* supported groups.
apiVersion: v1
kind: Pod
metadata:
name: sysctl-example
labels:
alibabacloud.com/eci: "true"
spec:
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
- name: kernel.msgmax
value: "65536"
containers:
- name: busybox
image: registry.cn-shanghai.aliyuncs.com/eci_open/busybox:1.30
command: [ "sh", "-c", "sleep 12000" ]Configure a container security context
Supported parameters
The following parameters are supported at the container level:
| Parameter | Description | Default |
|---|---|---|
runAsUser | The UID of the user that runs the container processes. Overrides the USER instruction in the Dockerfile. | — |
runAsGroup | The GID of the primary group for container processes. | — |
runAsNonRoot | When true, the container refuses to start if the image runs as root. | false |
privileged | When true, the container runs with the same privileges as a host process. In internal preview—submit a ticket to enable. | false |
capabilities | Linux capabilities to add or drop for container processes. See Linux capabilities. | — |
The following parameters are not configurable and use fixed defaults:
| Parameter | Default | Notes |
|---|---|---|
allowedProcMountTypes | DefaultProcMount | Cannot be changed |
readOnlyRootFilesystem | true | Root filesystem is always read-only |
Configurable capabilities
Use capabilities.add to grant the following Linux capabilities to container processes:
AUDIT_WRITECHOWNDAC_OVERRIDEFSETIDFOWNERKILLMKNODNET_ADMINNET_BIND_SERVICENET_RAWSETGIDSETUIDSETFCAPSETPCAPSYS_CHROOTSYS_PTRACESYS_RAWIO
SYS_RAWIO cannot be granted through the capabilities list. To use SYS_RAWIO, submit a ticket.
Example: add NET_ADMIN
By default, containers do not have the NET_ADMIN capability. Network configuration operations—such as modifying routing tables or interface settings—fail with a permission error.
Add NET_ADMIN to the container security context:
apiVersion: v1
kind: Pod
metadata:
name: net-admin-example
labels:
alibabacloud.com/eci: "true"
spec:
containers:
- name: busybox
image: registry.cn-shanghai.aliyuncs.com/eci_open/busybox:1.30
command: ["sh", "-c", "sleep 12000"]
securityContext:
capabilities:
add: ["NET_ADMIN"]After re-creating the pod, network-related operations can be performed in the container.