Security Contexts
A security context defines privilege and access control settings for a Pod or Container.
To specify security settings for a Pod, include the securityContext field in the Pod specification. The securityContext field is a PodSecurityContext object. The security settings that you specify for a Pod apply to all Containers in the Pod.
Resources
References
Setup minikube VM with users
echo "container-user-0:x:2000:2000:-:/home/container-user-0:/bin/bash" >> /etc/passwd
echo "container-user-1:x:2001:2001:-:/home/container-user-1:/bin/bash" >> /etc/passwd
echo "container-group-0:x:3000:" >>/etc/group
echo "container-group-1:x:3001:" >>/etc/group
mkdir -p /etc/message/
echo "Hello, World!" | sudo tee -a /etc/message/message.txt
chown 2000:3000 /etc/message/message.txt
chmod 640 /etc/message/message.txt
Using the this securityContext
the container will be able to read the file /message/message.txt
apiVersion: v1
kind: Pod
metadata:
name: my-securitycontext-pod
spec:
restartPolicy: Never
securityContext:
runAsUser: 2000
runAsGroup: 3000
fsGroup: 3000
containers:
- name: myapp-container
image: busybox
command: ["sh", "-c", "cat /message/message.txt && sleep 3600"]
volumeMounts:
- name: message-volume
mountPath: /message
volumes:
- name: message-volume
hostPath:
path: /etc/message
Using the this securityContext
the container should NOT be able to read the file /message/message.txt
apiVersion: v1
kind: Pod
metadata:
name: my-securitycontext-pod
spec:
restartPolicy: Never
securityContext:
runAsUser: 2001
runAsGroup: 3001
fsGroup: 3001
containers:
- name: myapp-container
image: busybox
command: ["sh", "-c", "cat /message/message.txt && sleep 3600"]
volumeMounts:
- name: message-volume
mountPath: /message
volumes:
- name: message-volume
hostPath:
path: /etc/message
Run to see the errors