4. Container Security
Policies
ā¢ What ?
ā¢ Can the container process run as
ārootā user ?
ā¢ Can the user run a āprivilegedā
container ?
ā¢ What ācapabilitiesā should be
allowed for the container ?
ā¢ ā¦
ā¢ How ?
ā¢ How the cluster admin can enforce
container security ?
ā¢ Kubernetes provides Pod Security Policy
for enforcing cluster wide security
policies.
5. Example Policy
Donāt allow process(es) inside the container to run as the ārootā user
POD should meet the
following criteria:
ā¢ The POD container image(s)
should have USER attribute
defined
OR
ā¢ The POD YAML file should
explicitly specify the non-root
USER ID as part of
securityContext
noroot.yaml
pod.yaml