Container security context¶
Kubernetes restricts the capabilities of containers by using
SecurityContext settings. This feature advances the security in the pods running on Kubernetes.
By default we set the following
securityContext in the PodSpec for the application container:
Enable specific kernel capabilities¶
Enable specific kernel capabilities by adding the following annotation to your
apiVersion: nais.io/v1alpha1 kind: Application metadata: annotations: nais.io/add-kernel-capability: "NET_RAW"
The annotation supports multiple values separated by comma. Not all capabilities are supported, so if you encounter issues with missing capabilities contact the nais team.
They are found in the list of capabilities
Disable read-only file system¶
By default, the only writable path on the file system is
If your application requires writing to another location, it is possible to enable this by setting the following annotation:
apiVersion: nais.io/v1alpha1 kind: Application metadata: annotations: nais.io/read-only-file-system: "false"
Note that even though the file system is writable, the default user
1069 (or whatever you override it with) needs write permission inside the docker image.
Overriding runAsUser / runAsGroup¶
By default the container runs with user and group id
1069. If you need to override this for your container, you can add the following annotations to your
apiVersion: nais.io/v1alpha1 kind: Application metadata: annotations: nais.io/run-as-user: "1001" nais.io/run-as-group: "1002"
nais.io/run-as-group will default to what you specify as
Docker security best practices