Advanced Kubernetes Security: Pod Context, Linux Capabilities, OPA Gatekeeper, and gVisor Implementation
Pod Security Context
Security context in Kubenretes provides mechanisms for setting up access controls and privileges for Pods and containers.
Configuration Parameters
| Parameter | Description |
|---|---|
runAsUser |
Specifies the user ID under which the container runs. |
runAsGroup |
Sets the group ID for container processes. |
fsGroup |
Defines the group ID for mounted volumes. |
runAsNonRoot |
Ensures containers do not run as root. |
allowPrivilegeEscalation |
Controls whether processes can gain additional privileges. |
capabilities |
Manages Linux capabilities for containers. |
privileged |
Determines if a container runs with full privileges. |
readOnlyRootFilesystem |
Mounts the container's root filesystem as read-only. |
Example 1: Running Containers with Non-Root Users
Dockerfile Approach
FROM python
RUN useradd appuser
RUN mkdir -p /app
COPY . /app
WORKDIR /app
RUN chown -R appuser /app
USER appuser
CMD python app.py
Kubernetes Security Context
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
spec:
replicas: 1
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: app-container
image: myregistry/app:latest
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
Example 2: Privileged Container Handling
Instead of enabling full privilege mode, use capabilities for granular control:
spec:
containers:
- name: privileged-container
image: ubuntu
securityContext:
capabilities:
add: ["SYS_ADMIN"]
Linux Capabilities Management
Linux capabilities provide fine-grained permissions instead of full root access. Common capabilities include:
CAP_SYS_ADMIN: System administration tasksCAP_NET_BIND_SERVICE: Binding to privileged portsCAP_DAC_OVERRIDE: Bypassing file permission checks
Capability Examples
Adding Mount Capability
apiVersion: v1
kind: Pod
metadata:
name: capability-pod
spec:
containers:
- name: test-container
image: busybox
command: ["sleep", "3600"]
securityContext:
capabilities:
add: ["SYS_ADMIN"]
Read-Only Filesystem
apiVersion: apps/v1
kind: Deployment
metadata:
name: readonly-deployment
spec:
replicas: 1
selector:
matchLabels:
app: readonly-app
template:
spec:
containers:
- name: app-container
image: myregistry/app:latest
securityContext:
readOnlyRootFilesystem: true
Pod Security Policies (Deprecated)
PodSecurityPolicy (PSP) was used to enforce security policies but has been deprecated since Kubernetes 1.21.
Key Restrictions
- Privileged containers
- Host namespaces
- Network and port configurations
- Volume types
- File system groups
- Root file system access
OPA Gatekeeper Solution
OPA Gatekeeper replaces PSP with a more flexible policy engine using Rego language.
Installation
Download and apply the Gatekeeper manifest:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.1/deploy/gatekeeper.yaml
Policy Definition
Template Creation
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: no-privileged-containers
spec:
crd:
spec:
names:
kind: NoPrivilegedContainers
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package admission
violation[{
