Container Security and Security Context

Docker Security

The Docker container and the host machine share the same kernel, the processes within the docker container are isolated by the linux namespaces, so all the process that are running in the container can also be monitored in the host machine process list, it is important to see as under what user is the process running on the host, as the process running as root is VERY DANGEROUS and is a huge security risk

This can be mitigated as by checking the build image file of other images or, manually setting the user id to a value in our Dockerfile i.e.

FROM ubuntu:latest
USER 1000

but the docker root user is different compared to the docker root user, this is done by using the Linux capabilities, as such some privileges are not granted to the docker root user such as rebooting the system etc.

if you want to add or drop the capabilities (CAP) this can be done by the following commands such as

docker run --cap-add KILL `image` # to add process kill capability
 
docker run --cap-drop KILL `image` # to add process kill capability
 
# to grant all the permissions to the container
docker run --privledged `image`

Security Context

If we would like make sure that the pods we have run as a particular user we can use the following in the pod spec section, if we desire to have it for container move it to the container spec section.

securityContext:
	runAsUser: 1000

to add capabilities (only available on container level)

securityContext:
	capabilities:
		add: ["MAC_ADMIN","SYS_ADMIN]