Security Context & PSS
Security Context PSS Compliance
Guidelines on Pod Security Standards (PSS) and Security Context configurations.
What is a Security Context?
A Security Context defines privilege and access control settings for a Pod or Container. It answers questions like: "Does this container run as root?", "Can it access the host filesystem?", or "Which Linux capabilities does it have?". Configuring this correctly is crucial for securing your cluster against attackers who might compromise a container.
Official Kubernetes Security Context Documentation
Pod Security Standards (PSS)
Pod Security Standards (PSS)
Kubernetes Pod Security Standards define three different policies to broadly cover the security spectrum:
- Baseline: Minimally restrictive policy which prevents known privilege escalations.
- Restricted: Heavily restricted policy, following current Pod hardening best practices.
Configuration Example
For a detailed breakdown of hardening techniques, including capabilities and seccomp, see the Workload Hardening guide.
Recommended securityContext and podSecurityContext for restricted environments.
# Pod Level
podSecurityContext:
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
# Container Level
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001TODO: Clarify which namespaces invoke the Restricted PSS policy.