Skip to content

Kubernetes security context

Kubernetes security context refers to the configuration settings that govern the security permissions and constraints applied to Pods and Containers within a cluster^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]. These settings are defined via SecurityContext fields, allowing operators to control the execution environment and privilege levels of workloads^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md].

Configuration Levels

Security settings can be applied at two distinct levels: the Pod level and the Container level^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md].

  • Pod SecurityContext: Settings applied to all containers within a specific Pod.
  • Container SecurityContext: Settings applied to an individual container. If both are defined, the container-level settings take precedence where applicable^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md].

In Helm chart configurations, these are often exposed as distinct parameters. For example, the Kubernetes Dashboard chart distinguishes between the generic securityContext (for the Pod) and containerSecurityContext (for the Dashboard container)^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md].

Key Security Settings

Security contexts allow for the hardening of containers by restricting privileges and access to the host system. Common configurations include:

  • Privilege Escalation: Controls whether a process can gain more privileges than its parent process^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]. A common best practice is to set allowPrivilegeEscalation to false.
  • Filesystem Access: Defines the read-only nature of the root filesystem^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]. Setting readOnlyRootFilesystem to true prevents applications from writing to protected system directories, though they can still write to mounted volumes.
  • User and Group IDs: Specifies the User ID (runAsUser) and Group ID (runAsGroup) under which the container process runs^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]. This allows the container to run as a non-root user even if the image defaults to root.

Example: Kubernetes Dashboard

The Kubernetes Dashboard Helm chart provides default values for its container security context to enforce a secure baseline^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]. For instance, the Metrics scraper is configured to run as a specific user (1001) and group (2001) with a read-only root filesystem and privilege escalation disabled^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md].

Default configurations typically include^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]: * allowPrivilegeEscalation: false * readOnlyRootFilesystem: true * runAsUser: 1001 * runAsGroup: 2001

Sources

^[400-devops-06-kubernetes-devops-helm-terraform-helm-helm-readme.md]