Monday 20 July 2020

Kubernetes: SecurityContext

Using SecurityContext, we can define access control settings for a Pod or Container.

 

We can define

a.   Permissions to access an object

b.   We can apply Security labels (Security Enhanced Linux)

c.    You can run as a privileged or unprivileged user.

d.   Allow Privilege escalations, where a process can gain more privileges than the parent process.

 

securityContextPod.yml

apiVersion: v1
kind: Pod
metadata:
  name: employee-service
  labels:
    app: employee-service
    author: krishna
    serviceType: webservice
spec:
  securityContext:
    runAsNonRoot: true
  containers:
    - name: employee-service-container
      image: jboss/wildfly

As you see the definition of Pod, I set securityContext like below.

  securityContext:
    runAsNonRoot: true

Above statement make sure that this Pod runs as non-root user.

 

Let’s create a Pod using the above definition file.

$kubectl create -f securityContextPod.yml 
pod/employee-service created

Query Pods.

$kubectl get pods
NAME               READY   STATUS                       RESTARTS   AGE
employee-service   0/1     CreateContainerConfigError   0          18s

As you see the ouput, there is an error while initializing the Pod.

Let’s see what happened via ‘kubectl describe’ command.

$kubectl describe pod employee-service
Name:         employee-service
Namespace:    default
Priority:     0
Node:         minikube/192.168.99.100
Start Time:   Sun, 07 Jun 2020 09:45:10 +0530
Labels:       app=employee-service
              author=krishna
              serviceType=webservice
Annotations:  <none>
Status:       Pending
IP:           172.17.0.6
IPs:
  IP:  172.17.0.6
Containers:
  employee-service-container:
    Container ID:   
    Image:          jboss/wildfly
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       CreateContainerConfigError
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-w7rp7 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  default-token-w7rp7:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-w7rp7
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  <unknown>         default-scheduler  Successfully assigned default/employee-service to minikube
  Normal   Pulling    6s (x6 over 85s)  kubelet, minikube  Pulling image "jboss/wildfly"
  Normal   Pulled     2s (x6 over 81s)  kubelet, minikube  Successfully pulled image "jboss/wildfly"
  Warning  Failed     2s (x6 over 81s)  kubelet, minikube  Error: container has runAsNonRoot and image has non-numeric user (jboss), cannot verify user is non-root

At the end of the output, you can see error like below.

 

kubelet, minikube  Error: container has runAsNonRoot and image has non-numeric user (jboss), cannot verify user is non-root.




Previous                                                    Next                                                    Home
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)