Configure a security context - Elastic Container Instance

This topic describes how to configure a security context and define permissions and access control settings for a pod or container.

Background information

Security contexts are used to define permissions and access control settings for pods or containers. Security context settings include Discretionary Access Control, SELinux, and Linux Capabilities. For more information, see Configure a Security Context for a Pod or Container.

Kubernetes provides two methods to configure security contexts:

Pod Security Context
Configure a security context for a pod. The configured security context applies to all the containers and volumes in the pod.
Elastic Container Instance allows you to modify the sysctl and runAsUse parameters when you configure a security context for a pod.
Container Security Context
Configure a security context for a container. The configured security context applies to the container.
Elastic Container Instance allows you to modify the sysctl and runAsUse parameters when you configure a security context for a container.

Note

Kubernetes uses pod security policies to verify and restrict the security contexts of pods. If the security context of a pod to be created does not meet the constraints of the specified pod security policy, the pod cannot be created. For more information, see Pod Security Policies.

If you use Container Service for Kubernetes (ACK) or Serverless Kubernetes (ASK), a pod security policy named ack.privileged is used by default. For more information, see Use pod security policies.

Configure a security context for a pod

In Linux, you can modify runtime kernel parameters by using the sysctl interface. You can view the kernel parameters of an elastic container instance by running the following command. For more information, see sysctl.sh.

sysctl -a

You can modify the sysctl and runAsUse parameters when you configure a security context for a pod.

The following sysctl parameters can be modified in Elastic Container Instance:

kernel.shm * (except for kernel.shm_rmid_forced)
kernel.msg*
kernel.sem
fs.mqueue.*
net.* (except for net.ipv4.ip_local_port_range and net.ipv4.tcp_syncookies)

Warning

To avoid instability in the operating system, you must fully understand the impacts of sysctl parameter modifications before you proceed.

Sample code:

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"
    - name: kernel.msgmax
      value: "65536"
  containers:
  - name: busybox
    image: busybox
    command: [ "sh", "-c", "sleep 12000" ]

Configure a security context for a container

You can configure a security context for a specified container.

Note

You must specify some parameters such as runAsUse regardless of whether you configure a security context for a pod or for a container. The parameter settings in the security context of a container override those in the security context of the pod to which the container belongs to take effect on the pod.

The following table describes the parameters supported by Elastic Container Instance.

Parameter	Description
runAsUse	The ID of the user that runs the container. The parameter settings override the USER command in the Dockerfile.
capabilities	The permissions that are granted to processes in the container. For more information, see Linux capabilities. You can configure the following permissions: AUDIT_WRITE CHOWN DAC_OVERRIDE FSETID FOWNER KILL MKNOD NET_ADMIN NET_BIND_SERVICE NET_RAW SETGID SETUID SETFCAP SETPCAP SYS_CHROOT SYS_PTRACE SYS_RAWIO Note You cannot grant SYS_RAWIO to processes by yourself. To use SYS_RAWIO, submit a ticket.

Parameter

Description

runAsUse

The ID of the user that runs the container. The parameter settings override the USER command in the Dockerfile.

capabilities

The permissions that are granted to processes in the container. For more information, see Linux capabilities.

You can configure the following permissions:

AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FSETID
FOWNER
KILL
MKNOD
NET_ADMIN
NET_BIND_SERVICE
NET_RAW
SETGID
SETUID
SETFCAP
SETPCAP
SYS_CHROOT
SYS_PTRACE
SYS_RAWIO

Note

You cannot grant SYS_RAWIO to processes by yourself. To use SYS_RAWIO, submit a ticket.

The following table describes some parameters that are not supported and the default values of the parameters.

Parameter	Description
privileged	Specifies whether to run the container in privileged mode. Default value: false.
AllowedProcMountTypes	The allowed proc mount types for the container. Default value: DefaultProcMount.
readOnlyRootFilesystem	Species whether the root file system that the container runs is read-only. Default value: true.

Sample code:

By default, containers do not have the NET_ADMIN permission. If network-related operations are performed in a container, an error message is returned. SecurityContext1

You can configure the security context for the container and modify the capabilities parameter to add the NET_ADMIN permission. The following sample code provides an example on how to add the NET_ADMIN permission by modifying the capabilities parameter.

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["sh", "-c", "sleep 12000"]
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]

After the permission is added, network-related operations can be performed in the container. SecurityContext2