How can you specify which users enter the container in k8s?

2 years ago
Noah Thompson
2 minutes

In Kubernetes, there are several ways to specify how users enter a container.

  1. Using SecurityContext:
    You can specify the user running the container in the SecurityContext of a Pod or container. For example:
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: my-image
    securityContext:
      runAsUser: 1000

In the example above, the container will run as user ID 1000.

  1. By utilizing PodSecurityPolicy, you can specify which users are allowed to run containers in the cluster. This policy can then be referenced in the securityContext of a pod. For example:

Firstly, establish a PodSecurityPolicy.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: my-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

Next, reference this PodSecurityPolicy in the Pod.

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: my-psp
spec:
  containers:
  - name: my-container
    image: my-image

In the example above, the Pod will utilize the my-psp PodSecurityPolicy, which defines the user permissions that the containers can use.

  1. By using initContainers, you can define one or more containers in a Pod that will run before the main container. You can specify users and pass data to the main container within the initContainer. For example:
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  initContainers:
  - name: init-container
    image: my-init-image
    command: ["sh", "-c", "chown -R 1000:1000 /data"]
    volumeMounts:
    - name: my-volume
      mountPath: /data
  containers:
  - name: my-container
    image: my-image
    volumeMounts:
    - name: my-volume
      mountPath: /data
volumes:
- name: my-volume
  emptyDir: {}

In the example above, the initContainer will run as the root user and change the owner of the /data directory to user ID 1000. This volume will then be mounted into the main container.

These are several common methods to specify user entry into a container in Kubernetes. You can choose the one that best fits your needs.

bannerAds