# Kubernetes Commands for Enhancing Security

The guide above explains the commands used in Kubernetes for security. It focuses on **three critical settings** that enhance container security and enforce least privilege principles:

## allowPrivilegeEscalation

This policy prohibits privilege escalation within the pod. The `securityContext.allowPrivilegeEscalation` setting must be set to `false`, and it cannot be set to `true` or left unset. This helps to limit access to host resources that might mistakenly get exposed to the container, thereby enhancing security by preventing containers from running with root privileges.

### Initial Example

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: true  # This violates the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      # This violates the rule (securityContext.allowPrivilegeEscalation is unset)
```

### Compliant Example

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: false  # Compliant with the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      securityContext:
        allowPrivilegeEscalation: false  # Compliant with the rule
```

## runAsUser

This policy prohibits processes from running as the root user. In UNIX operating systems, the root user has a User ID (UID) value of `0`, which gives full access to the system. Therefore, to ensure security, the `securityContext.runAsUser` property MUST be left empty (unset) or explicitly set to a value greater than `0`. This policy aims to prevent processes from gaining elevated privileges, thereby reducing the potential risk of exploitation or abuse of the system.

### Initial Example

<pre class="language-yaml"><code class="lang-yaml"><strong>apiVersion: v1
</strong>kind: Pod
metadata:
  name: example-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsUser: 0  # This breaks the rule
  containers:
  - name: example-container
    image: nginx
    securityContext:
      runAsUser: 0 # This breaks the rule
</code></pre>

### Compliant Example

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsUser: 1001  # Compliant with the rule
  containers:
  - name: example-container
    image: nginx
    # Compliant with the rule (securityContext.allowPrivilegeEscalation is unset)
```

## runAsNonRoot

This policy prohibits processes from running as the root user inside a Pod. Therefore, the `securityContext.runAsNonRoot` property MUST be set to `true`. This value must not be set to false or left empty (unset). This policy ensures security by forcing all processes to run using a non-root user, reducing the risk of exploits associated with elevated privileges.

### Initial Example

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsNonRoot: false  # This breaks the rule
  containers:
  - name: example-container
    image: nginx
    # This violates the rule (securityContext.runAsNonRoot is unset)
```

### Compliant Example

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        runAsNonRoot: true # Compliant with the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      securityContext:
        runAsNonRoot: true # Compliant with the rule
```

{% embed url="<https://youtu.be/jcWUCsoLOHU>" %}

## Tutorial&#x20;

The following video explains the 3 implementations of the Kubernetes security configuration command previously explained in this guide.

{% hint style="warning" %}
Make sure you can access the Pod/Container that you have.
{% endhint %}

The following are the contents of the privileged-pod.yaml file used.

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
  - name: main-container
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      runAsUser: 1001
      runAsRoot: false
  initContainers:
  - name: init-container
    image: busybox
    command: ["sh", "-c", "echo Init container running"]
    securityContext:
      allowPrivilegeEscalation: false
      runAsUser: 1001
      runAsRoot: false
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudeka.ai/reference/kubernetes-commands-for-enhancing-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.