4. Container Security
Policies
• What ?
• Can the container process run as
‘root’ user ?
• Can the user run a ‘privileged’
container ?
• What ‘capabilities’ should be
allowed for the container ?
• …
• How ?
• How the cluster admin can enforce
container security ?
• Kubernetes provides Pod Security Policy
for enforcing cluster wide security
policies.
5. Example Policy
Don’t allow process(es) inside the container to run as the ‘root’ user
POD should meet the
following criteria:
• The POD container image(s)
should have USER attribute
defined
OR
• The POD YAML file should
explicitly specify the non-root
USER ID as part of
securityContext
noroot.yaml
pod.yaml