Community post originally published on DEV.to by Sunny Bhambhani

Although Kubernetes is a powerful container orchestration platform, its complexity and its adoption makes it a prime target for security attacks. We’ll go over some of the best practices for securing the Kubernetes deployments and keeping applications and data safe in this article.

This article is only about pods or deployments; I intend to cover other security related topics in subsequent articles.

Below is a list of settings and configurations that can be implemented to accomplish the intended goal.

  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      allowPrivilegeEscalation: false

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      runAsNonRoot: true

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      readOnlyRootFilesystem: true

  # Output trimmed
  securityContext:
    runAsUser: 1000
  containers:
  - name: webapp
    image: nginx:1.17

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      runAsGroup: 1000

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      capabilities: {}

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      capabilities:
        add:
        - SYS_TIME

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    securityContext:
      capabilities:
        drop:
        - SYS_ADMIN

  # Output trimmed

NOTE:

  containers:
  - name: webapp
    image: nginx:1.17
    resources:
      limits:
        cpu: "1"
        memory: "512Mi"

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17
    resources:
      requests:
        cpu: "0.5"
        memory: "256Mi"
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: webapp
  spec:
    replicas: 3

  # Output trimmed
  containers:
  - name: webapp
    image: nginx:1.17

  # Output trimmed
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: webapp
    namespace: frontend
  spec:

  # Output trimmed

NOTE:

Just for reference here is the list of options which are accepted on pod layer (to know more about it fire kubectl explain pod.spec.securityContext):

  • fsGroup
  • fsGroupChangePolicy
  • runAsGroup
  • runAsNonRoot
  • runAsUser
  • seLinuxOptions
  • seccompProfile
  • supplementalGroups
  • sysctls
  • windowsOptions

And below are the ones which are accepted on container layer (to know more about it fire kubectl explain pod.spec.containers.securityContext):

  • allowPrivilegeEscalation
  • capabilities
  • privileged
  • procMount
  • readOnlyRootFilesystem
  • runAsGroup
  • runAsNonRoot
  • runAsUser
  • seLinuxOptions
  • seccompProfile
  • windowsOptions

If there are any important configurations or use cases that I may have missed from deployments perspective, please feel free to add them.

References: