KubernetesHow-ToBeginner · 4 min read

How to Use Security Context in Kubernetes for Pod and Container Security

In Kubernetes, use securityContext in pod or container specs to set security options like user IDs, privilege levels, and capabilities. This helps control permissions and improve security by restricting what containers can do.

📐

Syntax

The securityContext field can be set at the pod level or container level in a Kubernetes manifest. It defines security settings such as user ID, group ID, privilege, and capabilities.

Key parts include:

runAsUser: The user ID to run the container process.
runAsGroup: The group ID for the container process.
privileged: Boolean to allow privileged mode.
capabilities: Add or drop Linux capabilities.
readOnlyRootFilesystem: Make root filesystem read-only.

yaml

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
  - name: example-container
    image: busybox
    securityContext:
      privileged: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

💻

Example

This example shows a pod running a container as user ID 1000 with a read-only root filesystem and no extra Linux capabilities. It demonstrates how to restrict container privileges for better security.

yaml

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
  - name: secure-container
    image: busybox
    command: ["sleep", "3600"]
    securityContext:
      privileged: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

Output

pod/secure-pod created

⚠️

Common Pitfalls

Common mistakes when using securityContext include:

Setting privileged: true unnecessarily, which grants too many permissions.
Not dropping Linux capabilities, leaving containers with more privileges than needed.
Forgetting to set runAsUser, causing containers to run as root by default.
Mixing pod-level and container-level securityContext without understanding precedence.

Always test your security settings to ensure containers have only the permissions they need.

yaml

apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: busybox
    securityContext:
      privileged: true  # Avoid unless absolutely necessary
      capabilities:
        add:
        - ALL  # Adds all capabilities, risky

---

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: busybox
    securityContext:
      privileged: false
      capabilities:
        drop:
        - ALL  # Drops all extra capabilities for safety

📊

Quick Reference

Summary tips for using securityContext:

Use runAsUser and runAsGroup to avoid running as root.
Set privileged: false unless privileged access is needed.
Drop unnecessary Linux capabilities with capabilities.drop.
Use readOnlyRootFilesystem: true to prevent file changes.
Set fsGroup to control file permissions for shared volumes.

✅

Key Takeaways

Use securityContext to control user IDs and privileges for pods and containers.

Avoid running containers as root by setting runAsUser and runAsGroup.

Drop unnecessary Linux capabilities to reduce attack surface.

Set readOnlyRootFilesystem to true for safer container filesystems.

Test securityContext settings to ensure they enforce the intended restrictions.