Security Context
When you set up a deployment, you can append a securityContext to your containers. You can use a security context to lock down your containers.
spec:
template:
spec:
containers:
- name: your-container
securityContext:
runAsUser: 1001
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
- runAsUser: Sets the UID to run as. Note this doesn't need to exist on the nodes or anything, just set it to an arbetrary number
- runAsNonRoot: True or False. Self Explanitory
- readOnlyRootFilesystem: True or False. Self Explanitory
- allowPrivilegeEscalation: True or False. Lets you use sudo or something similar to elevate your privileges within the container.
- capabilities: You would usually want to drop all capabilities, and just add the ones you need. NET_BIND_SERVICE is almost always needed if you're binding to a port. Here's a list of the Kubernetes capabilities, and how they map to Linux capabilities