A security context defines privilege and access control settings for a pod or container. Use it to control which Linux kernel parameters are active, which user identity runs your workload, and which Linux capabilities are granted to container processes.
ECI supports security contexts at two levels:
Pod security context — settings apply to all containers and volumes in the instance. Use this to configure sysctl parameters.
Container security context — settings apply only to the specified container. Use this to configure the user identity, capabilities, and privileged mode.
For background on Kubernetes security contexts, see Configure a Security Context for a Pod or Container.
Configure a pod security context
How it works
In Linux, the sysctl interface lets you read and modify runtime kernel parameters. ECI exposes sysctl configuration through two API parameters that map to the Kubernetes safe/unsafe distinction:
`SecurityContext.Sysctl` — for safe sysctls. Safe sysctls are enabled by default and are isolated to the instance, so changes do not affect other workloads on the same node.
`HostSecurityContext.Sysctl` — for unsafe sysctls. Unsafe sysctls require explicit configuration because they can affect node stability or neighboring workloads.
To view the current kernel parameters of an ECI instance, run:
sysctl -aFor a reference script, see sysctl.sh.
Modifying sysctl parameters incorrectly can destabilize the operating system. Understand the effect of each parameter before applying changes. For parameter reference, see sysctl(8).
Supported sysctl parameters
Safe sysctls (use SecurityContext.Sysctl):
| Parameter | Notes |
|---|---|
net.ipv4.ping_group_range | |
net.ipv4.ip_unprivileged_port_start |
Unsafe sysctls (use HostSecurityContext.Sysctl):
| Parameter | Notes |
|---|---|
kernel.shm* | Except kernel.shm_rmid_forced |
kernel.msg* | |
kernel.sem | |
fs.mqueue.* | |
net.* | Except net.ipv4.ip_local_port_range, net.ipv4.tcp_syncookies, net.ipv4.ping_group_range, and net.ipv4.ip_unprivileged_port_start |
You can also modify vm.min_free_kbytes. We recommend setting this value to no more than 20% of the total instance memory size.
API parameters
Pass these parameters to CreateContainerGroup when creating an ECI instance.
| Parameter | Type | Example | Description |
|---|---|---|---|
SecurityContext.Sysctl.N.Name | string | net.ipv4.ping_group_range | Name of the safe sysctl to set |
SecurityContext.Sysctl.N.Value | string | 1 | Value of the safe sysctl |
HostSecurityContext.Sysctl.N.Name | string | kernel.msgmax | Name of the unsafe sysctl to set |
HostSecurityContext.Sysctl.N.Value | string | 65536 | Value of the unsafe sysctl |
Configure a container security context
Supported parameters
Pass Container.N.SecurityContext-related parameters to CreateContainerGroup to configure a container-level security context.
| Parameter | Type | Example | Description |
|---|---|---|---|
Container.N.SecurityContext.RunAsUser | long | 1000 | User ID that runs the container. Overrides the USER instruction in the Dockerfile. |
Container.N.SecurityContextRunAsGroup | long | 3000 | Group ID that runs the container. |
Container.N.SecurityContextRunAsNonRoot | boolean | true | Whether to run the container as a non-root user. Default: false. |
Container.N.SecurityContextPrivileged | boolean | true | Whether to run the container in privileged mode. Default: false. Note This feature is in internal preview. Submit a ticket to enable it. |
Container.N.SecurityContext.Capability.Add.N | array | NET_ADMIN | Linux capabilities to grant to container processes. |
Container.N.SecurityContext.ReadOnlyRootFilesystem | boolean | true | Whether the container's root file system is read-only. Set to true. |
Supported capabilities
Linux capability constants have the form CAP_XXX in kernel documentation, but the ECI API uses the name without the CAP_ prefix. For example, to grant CAP_NET_ADMIN, set the value to NET_ADMIN.
| Capability | Description |
|---|---|
AUDIT_WRITE | Write records to the kernel audit log. |
CHOWN | Make arbitrary changes to file UIDs and GIDs. |
DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
FOWNER | Bypass permission checks for operations that require the file system UID to match the process UID. |
FSETID | Do not clear set-user-ID and set-group-ID permission bits when a file is modified. |
KILL | Bypass permission checks for sending signals. |
MKNOD | Create special files using mknod(2). |
NET_ADMIN | Perform network-related operations such as configuring interfaces and routing tables. |
NET_BIND_SERVICE | Bind a socket to a privileged port (port number below 1024). |
NET_RAW | Use raw and packet sockets. |
SETFCAP | Set arbitrary capabilities on files. |
SETGID | Make arbitrary changes to process GIDs and supplementary GID list. |
SETPCAP | Modify the process capability bounding set. |
SETUID | Make arbitrary changes to process UIDs. |
SYS_CHROOT | Use chroot(2). |
SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
SYS_RAWIO | Perform I/O port operations. Note Granting |
Unsupported parameters
The following parameters are not configurable and use fixed default values:
| Parameter | Default value |
|---|---|
AllowedProcMountTypes | DefaultProcMount |
readOnlyRootFilesystem | true |
Init containers
Security contexts are also configurable for init containers, using the same parameters listed above. The following parameters are not supported for init containers:
SecurityContextRunAsGroupSecurityContextRunAsNonRoot