Skip to content

Kubernetes Security Context Configuration

This guide describes how to configure Kubernetes security context features for Privacera services. Security contexts define privilege and access control settings for pods and containers, helping enforce security best practices and compliance requirements.

Overview

Privacera Manager supports the following types of security context configuration:

  • Pod Security Context: Security settings that apply to all containers in a pod (user/group IDs, file system groups, SELinux options, seccomp profiles)
  • Container Security Context: Security settings for individual containers (privilege escalation, capabilities, read-only filesystem)

These security contexts help ensure:

  • Containers run as non-root users
  • Containers operate with minimal privileges
  • Filesystems are protected from unauthorized modifications
  • Compliance with security standards (PCI DSS, HIPAA, SOC 2, etc.)

Prerequisites

Before configuring security contexts, ensure:

  • You understand Kubernetes security contexts and Pod Security Standards
  • For production environments, review your organization's security and compliance requirements
  • Ensure container images support running as non-root users (Privacera images are pre-configured for this)

Configuration Steps

To configure security contexts, follow the steps below:

1. Copy the Security Context Configuration File

Bash
1
2
cd ~/privacera/privacera-manager
cp config/sample-vars/vars.kubernetes.security.yml config/custom-vars/

This file contains security context configurations for both pod-level and container-level security settings.

2. Enable Security Contexts

Edit config/custom-vars/vars.kubernetes.security.yml and uncomment the lines to enable security contexts.

Enable Pod Security Context

Apply pod-level security settings globally:

YAML
1
K8S_POD_SECURITY_CONTEXT_ENABLED: "true"

When enabled, this applies the following security settings globally:

  • runAsUser: 1000 - Runs pods as user ID 1000 (non-root)
  • runAsGroup: 1000 - Sets the primary group ID to 1000
  • fsGroup: 200 - Sets the file system group ownership for volumes to group ID 200

Enable Container Security Context

Apply container-level security settings globally:

YAML
1
K8S_CONTAINER_SECURITY_CONTEXT_ENABLED: "true"

When enabled, this applies the following security settings globally:

  • runAsNonRoot: true - Ensures containers don't run as root
  • allowPrivilegeEscalation: false - Prevents privilege escalation
  • readOnlyRootFilesystem - Makes the root filesystem read-only (default: true for most containers; some containers are intentionally set to false based on their specific requirements)
  • capabilities.drop: ["ALL"] - Drops all Linux capabilities
YAML
1
2
K8S_POD_SECURITY_CONTEXT_ENABLED: "true"
K8S_CONTAINER_SECURITY_CONTEXT_ENABLED: "true"

3. Deploy or Update Privacera Manager

After copying the configuration file and making necessary changes:

For new/fresh installation:

Bash
1
2
3
4
   cd ~/privacera/privacera-manager/
   ./privacera-manager setup  
   ./pm_with_helm.sh install  
   ./privacera-manager post-install

For upgrade scenario (existing installation):

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Run the following command to run the post install steps:

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

This will apply the security context configurations to all Privacera services.

4. Verify the Configuration

Once deployment completes, verify that the security contexts are applied:

Check pod security context:

Bash
1
kubectl get pod <POD_NAME> -n <YOUR_NAMESPACE> -o jsonpath='{.spec.securityContext}' | jq

Check container security context:

Bash
1
kubectl get pod <POD_NAME> -n <YOUR_NAMESPACE> -o jsonpath='{.spec.containers[*].securityContext}' | jq

Verify non-root execution:

Bash
1
kubectl exec <POD_NAME> -n <YOUR_NAMESPACE> -- id

Expected output should show: uid=1000 gid=1000 groups=200,1000

Check all security settings:

Bash
1
kubectl describe pod <POD_NAME> -n <YOUR_NAMESPACE> | grep -A 10 "Security Context"

Understanding Security Context Settings

Default Pod Security Context Settings

When K8S_POD_SECURITY_CONTEXT_ENABLED is set to "true", the following settings are applied:

YAML
1
2
3
4
securityContext:
  runAsUser: 1000            # Run as user ID 1000 (non-root)
  runAsGroup: 1000           # Run as group ID 1000
  fsGroup: 200               # Volume ownership group ID

Default Container Security Context Settings

When K8S_CONTAINER_SECURITY_CONTEXT_ENABLED is set to "true", the following settings are applied:

YAML
1
2
3
4
5
6
7
securityContext:
  runAsNonRoot: true                   # Container must run as non-root
  allowPrivilegeEscalation: false      # Prevent privilege escalation
  readOnlyRootFilesystem: true         # Make root filesystem read-only (default: true)
  capabilities:
    drop:
      - ALL                            # Drop all capabilities

Note: The readOnlyRootFilesystem setting is configured per container based on specific requirements. For most containers, it defaults to true for enhanced security. However, some containers are intentionally configured with false when they require write access to the root filesystem. Where possible, services use EmptyDir or persistent volume mounts for writable directories while keeping the root filesystem read-only.

Disabling Security Contexts

To disable security contexts (not recommended for production):

  1. Edit config/custom-vars/vars.kubernetes.security.yml
  2. Set both flags to "false":
    YAML
    1
2
    K8S_POD_SECURITY_CONTEXT_ENABLED: "false"
K8S_CONTAINER_SECURITY_CONTEXT_ENABLED: "false"
  3. Save the changes
  4. Apply the changes:
Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Run the following command to run the post install steps:

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Additional Resources