KubernetesPradipta Banerjee

@pradipta_kr www.cloudgeekz.com

Kubernetes Components

Kubernetes Authentication and Authorization

Container Security Policies

• What ?• Can the container process run as

‘root’ user ?• Can the user run a ‘privileged’

container ?• What ‘capabilities’ should be

allowed for the container ?• …

• How ?• How the cluster admin can enforce

container security ?

• Kubernetes provides Pod Security Policy for enforcing cluster wide security policies.

Example Policy Don’t allow process(es) inside the container to run as the ‘root’ user

POD should meet the following criteria:• The POD container image(s) should have USER attribute definedOR• The POD YAML file should explicitly specify the non-root USER ID as part of securityContext

noroot.yaml pod.yaml

References• https://kubernetes.io/docs/user-guide/pod-security-policy/• cloudgeekz.com/1204/docker-cluster-kubernetes-policies.html• https://www.katacoda.com/bpradipt/scenarios/kubernetes-podsecuri

typolicy