Profile Applicability:
Level 1
Description:
A Security Context in Kubernetes defines privilege and access control settings for a Pod or Container. It allows you to configure important settings such as which user the container runs as, whether the container is allowed to escalate privileges, and access control to resources. This check ensures that the appropriate security context is applied to all Pods and Containers to follow security best practices.
Rationale:
Applying a security context to your Pods and Containers is critical to enforce security policies. It ensures that containers are run with the least privileges required, preventing potential security breaches. By configuring security context settings such as runAsUser, runAsGroup, and allowPrivilegeEscalation, you can significantly reduce the attack surface and control access to sensitive resources.
Impact:
Pros:
Helps in enforcing least privilege access for your containers.
Reduces the chances of privilege escalation attacks.
Ensures that containers run with the appropriate security settings.
Cons:
Requires extra configuration effort and careful planning.
Might require changes to existing workloads to meet security policies.
Default Value:
By default, Kubernetes containers run as root, which is insecure. The security context must be manually configured to run containers with non-root users, restrict privileges, and limit access to sensitive resources.
Pre-requisites:
Ensure that the cluster is configured to allow Security Context settings and that PodSecurityPolicies (PSP) or similar tools are in place to enforce security best practices.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod security settings and ensure that all Pods and Containers are configured with the appropriate Security Context.
Check that the Pods are running with non-root users and that unnecessary privileges (e.g., allowPrivilegeEscalation: true) are disabled.
Using Azure CLI:
Use the following command to inspect the security context of your Pods:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.securityContext}'Verify that the runAsUser, runAsGroup, and allowPrivilegeEscalation fields are set correctly for all containers in the cluster.
Implementation Plan:
Using Azure Console:
In the Azure portal, navigate to your AKS cluster and access the Pod configurations.
Edit the Security Context settings for your Pods, ensuring that containers run with non-root users and privilege escalation is disabled.
Apply the following security context settings for each container:
runAsUser: A non-root user ID.
runAsGroup: A non-root group ID.
allowPrivilegeEscalation: Set to false to avoid privilege escalation.
Using Azure CLI:
To configure the Security Context, add the following to your Pod or Deployment YAML file:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-container
image: my-image
securityContext:
runAsUser: 1000
runAsGroup: 3000
allowPrivilegeEscalation: false
runAsNonRoot: true
Apply the configuration to the cluster:
kubectl apply -f pod-spec.yaml
Alternatively, if modifying an existing pod or deployment, run:
kubectl edit deployment <deployment-name> --namespace=<namespace-name>
and add the necessary security context settings.Backout Plan:
Using Azure Console:
If applying the security context causes issues with workload functionality, revert the settings by modifying the security context to allow root access or disabling privilege escalation.
Using Azure CLI:
Revert the Security Context settings by editing the pod or deployment specification to remove the securityContext settings or configure them with more permissive settings:
kubectl edit pod <pod-name> --namespace=<namespace-name>