Workload Hardening

Securing your runtime environment is critical to minimizing the blast radius of a potential compromise.

Security Context

The securityContext field in your Pod manifest is the primary tool for hardening.

1. Drop Capabilities

By default, containers are given a wide range of Linux capabilities (like CHOWN, NET_BIND_SERVICE). Most applications need none of these.

Recommendation: Drop ALL capabilities.

securityContext:
  capabilities:
    drop:
    - ALL

2. Run as Non-Root

Ensure your container is running as a non-root user. This connects with the build-time user creation.

securityContext:
  runAsNonRoot: true
  runAsUser: 1001
  runAsGroup: 1001

3. Read-Only Root Filesystem

Prevent attackers from writing malicious executables or modifying configuration at runtime by making the root filesystem read-only.

securityContext:
  readOnlyRootFilesystem: true

Note: You may need to mount an emptyDir volume to /tmp if your application needs to write temporary files.

Seccomp Profiles

Seccomp (Secure Computing Mode) restricts the system calls a process can make to the kernel.

Recommendation: Enable the RuntimeDefault profile, which blocks many dangerous syscalls.

securityContext:
  seccompProfile:
    type: RuntimeDefault

Full Example

apiVersion: v1
kind: Pod
metadata:
  name: hardened-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: my-app
    image: my-app:1.0.0
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

For more details on Pod Security Standards (PSS), see the Security Context documentation.