Container security context¶
Kubernetes restricts the capabilities of containers by using SecurityContext
settings. This feature advances the security in the pods running on Kubernetes.
By default we set the following securityContext
in the PodSpec for the application container:
setting | value |
---|---|
runAsUser | 1069 |
runAsGroup | 1069 |
allowPrivilegeEscalation | false |
readOnlyRootFilesystem | true |
runAsNonRoot | true |
privileged | false |
capabilities | drop: ["all"] |
Enable specific kernel capabilities¶
Enable specific kernel capabilities by adding the following annotation to your Application
or NaisJob
spec:
apiVersion: nais.io/v1alpha1
kind: Application
metadata:
annotations:
nais.io/add-kernel-capability: "NET_RAW"
The annotation supports multiple values separated by comma. Not all capabilities are supported, so if you encounter issues with missing capabilities contact the nais team.
They are found in the list of capabilities
Disable read-only file system¶
By default, the only writable path on the file system is /tmp
.
If your application requires writing to another location, it is possible to enable this by setting the following annotation:
apiVersion: nais.io/v1alpha1
kind: Application
metadata:
annotations:
nais.io/read-only-file-system: "false"
Note that even though the file system is writable, the default user 1069
(or whatever you override it with) needs write permission inside the docker image.
Overriding runAsUser / runAsGroup¶
By default the container runs with user and group id 1069
. If you need to override this for your container, you can add the following annotations to your Application
.
apiVersion: nais.io/v1alpha1
kind: Application
metadata:
annotations:
nais.io/run-as-user: "1001"
nais.io/run-as-group: "1002"
The nais.io/run-as-group
will default to what you specify as nais.io/run-as-user
.
Relevant information¶
Docker security best practices
Created: 2021-09-14