When implementing application that used container and deloy to Kubernetes. There are some points we need to pay attentionto make sure protect application

Following the best practice from Kubernetes



1. Running container as non root

In order to config container can run as non root user. We should define user and group user in the Docker file

RUN addgroup --gid 2000 usergroup && adduser --uid 1000 --disabled-password --gecos "" user --gid 2000 && chown -R itcmsuser:usergroup /app

USER user

2. Configure setting in deploymet template

a. securityContext of Pod level

securityContext:

  runAsUser: 1000

  runAsGroup: 2000

b. securityContext of Container level

securityContext:

  allowPrivilegeEscalation: false

  capabilities:

    drop:

      - all

  privileged: false

  readOnlyRootFilesystem: true

  runAsNonRoot: true


References

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/