# Kubernetes SecurityContext(s)
## PodSecurityContext
When specifying the security context of a Pod you can use several attributes. From a defensive security point of view you should consider:
* To have **runASNonRoot** as **True**
* To configure **runAsUser**
* If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
* Do **NOT** give **privilege** **group** access via **fsGroup**, **runAsGroup** and **supplementaryGroups**
| fsGroup
integer
| This allows to specify a **supplementary groups to all processes of the containers**. Usually used to give access to mounted volumes. |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| fsGroupChangePolicy
string
| This defines behavior of **changing ownership and permission of the volume** before being exposed inside Pod. |
| runAsGroup
integer
| The **GID to run the entrypoint of the container process**. Uses runtime default if unset. May also be set in SecurityContext. |
| runAsNonRoot
boolean
| Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |
| runAsUser
integer
| The **UID to run the entrypoint of the container process**. Defaults to user specified in image metadata if unspecified. |
| seLinuxOptions
SELinuxOptions
More info about seLinux
| The **SELinux context to be applied to all containers**. If unspecified, the container runtime will allocate a random SELinux context for each container. |
| seccompProfile
SeccompProfile
More info about Seccomp
| The **seccomp options to use by the containers** in this pod. |
| supplementalGroups
integer array
| A list of **groups applied to the first process run in each container**, in addition to the container's primary GID. |
| sysctls
Sysctl array
More info about sysctls
| Sysctls hold a list of **namespaced sysctls used for the pod**. Pods with unsupported sysctls (by the container runtime) might fail to launch. |
| windowsOptions
WindowsSecurityContextOptions
| The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. |
## SecurityContext
This context is set inside the **containers definitions**. From a defensive security point of view you should consider:
* **allowPrivilegeEscalation** to **False**
* Do not add sensitive **capabilities** (and remove the ones you don't need)
* **privileged** to **False**
* If possible, set **readOnlyFilesystem** as **True**
* Set **runAsNonRoot** to **True** and set a **runAsUser**
* If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
* Do **NOT** give **privilege** **group** access via **runAsGroup.**
Note that the attributes set in **both SecurityContext and PodSecurityContext**, the value specified in **SecurityContext** takes **precedence**.
| allowPrivilegeEscalation
boolean
| **AllowPrivilegeEscalation** controls whether a process can **gain more privileges** than its parent process. This bool directly controls if the no\_new\_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as **Privileged** or has **CAP\_SYS\_ADMIN** |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| capabilities
Capabilities
More info about Capabilities
| The **capabilities to add/drop when running containers**. Defaults to the default set of capabilities. |
| privileged
boolean
| Run container in privileged mode. Processes in privileged containers are essentially **equivalent to root on the host**. Defaults to false. |
| procMount
string
| procMount denotes the **type of proc mount to use for the containers**. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. |
| readOnlyRootFilesystem
boolean
| Whether this **container has a read-only root filesystem**. Default is false. |
| runAsGroup
integer
| The **GID to run the entrypoint** of the container process. Uses runtime default if unset. |
| runAsNonRoot
boolean
| Indicates that the container must **run as a non-root user**. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |
| runAsUser
integer
| The **UID to run the entrypoint** of the container process. Defaults to user specified in image metadata if unspecified. |
| seLinuxOptions
SELinuxOptions
More info about seLinux
| The **SELinux context to be applied to the container**. If unspecified, the container runtime will allocate a random SELinux context for each container. |
| seccompProfile
SeccompProfile
| The **seccomp options** to use by this container. |
| windowsOptions
WindowsSecurityContextOptions
| The **Windows specific settings** applied to all containers. |
## References
* [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core)
* [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core)