Docker Security
By default, the container's entrypoint is ran by root
. You can overwrite it by using the --user
option:
docker container run --user=1001 ubuntu sleep 3600
Linux capabilities are listed in /usr/include/linux/capability.h
A docker container has, by default, not all capabilities enabled. You can enable them individually with the --cap-add
option. Example:
docker container run --cap-add MAC_ADMIN ubuntu
You can drop them with --cap-drop
option:
docker container run --cap-drop KILL ubuntu
If you want all privileges enabled, use the --privileged
flag:
docker container run --privileged ubuntu
Security Context
The docker security features mentioned above can be used in the pod's definition file as well, via securityContext
You can decide if you want to set the securityContext
in the pod's level (pod.spec.securityContext
) or individual containers' level (pod.spec.containers.securityContext
)
Example:
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]
securityContext:
runAsUser: 1000
# NOTE: capabilities are only supported at container's level
capabilities:
add: ["MAC_ADMIN"]