search
Ctrlk
Page cover

Kubernetes Commands for Enhancing Security

The guide above explains the commands used in Kubernetes for security. It focuses on three critical settings that enhance container security and enforce least privilege principles:

hashtag
allowPrivilegeEscalation

This policy prohibits privilege escalation within the pod. The securityContext.allowPrivilegeEscalation setting must be set to false, and it cannot be set to true or left unset. This helps to limit access to host resources that might mistakenly get exposed to the container, thereby enhancing security by preventing containers from running with root privileges.

hashtag
Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: true  # This violates the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      # This violates the rule (securityContext.allowPrivilegeEscalation is unset)

hashtag
Compliant Example

hashtag
runAsUser

This policy prohibits processes from running as the root user. In UNIX operating systems, the root user has a User ID (UID) value of 0, which gives full access to the system. Therefore, to ensure security, the securityContext.runAsUser property MUST be left empty (unset) or explicitly set to a value greater than 0. This policy aims to prevent processes from gaining elevated privileges, thereby reducing the potential risk of exploitation or abuse of the system.

hashtag
Initial Example

hashtag
Compliant Example

hashtag
runAsNonRoot

This policy prohibits processes from running as the root user inside a Pod. Therefore, the securityContext.runAsNonRoot property MUST be set to true. This value must not be set to false or left empty (unset). This policy ensures security by forcing all processes to run using a non-root user, reducing the risk of exploits associated with elevated privileges.

hashtag
Initial Example

hashtag
Compliant Example

hashtag
Tutorial

The following video explains the 3 implementations of the Kubernetes security configuration command previously explained in this guide.

circle-exclamation

Make sure you can access the Pod/Container that you have.

The following are the contents of the privileged-pod.yaml file used.

PreviousHow to use kubeconfig on WindowsNextHow to add GPU in Kubernetes

Last updated