Pod Security

Back

Loading concept...

šŸ›”ļø Kubernetes Pod Security: Your Containerā€™s Bodyguard Team

Imagine your Kubernetes cluster is a super-secure castle. Every container is a guest trying to enter. Pod Security is like the team of guards at every gate, making sure only the right guests get inā€”and they follow the castle rules!

šŸŽÆ The Big Picture

When you run apps in Kubernetes, each little box (called a Pod) can do things on your computerā€”read files, talk to the network, even become super powerful. Pod Security is how we set rules so these boxes can only do what they NEED to do. Nothing more!

Think of it like giving your younger sibling a coloring book. You give them crayons (what they need), but NOT permanent markers (what they donā€™t need). Same idea here!

šŸ›ļø Pod Security Standards (PSS)

What Are They?

Pod Security Standards are like three levels of strictness for your castle gates:

graph TD
    A["šŸšØ Privileged"] --> B["Everything Allowed"]
    C["āš ļø Baseline"] --> D["Some Risky Things Blocked"]
    E["āœ… Restricted"] --> F["Only Safe Things Allowed"]

The Three Levels

Level What It Means Real-Life Analogy
Privileged No restrictions. Full trust. VIP passā€”go anywhere!
Baseline Blocks known dangerous stuff Regular museum ticketā€”most rooms open
Restricted Maximum safety. Minimal permissions Library cardā€”quiet zone only!

Simple Example

# A Pod that follows "Restricted" rules
apiVersion: v1
kind: Pod
metadata:
  name: safe-pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]

Why this matters: If someone hacks your app, they canā€™t become ā€œking of the computerā€ because we already limited what the Pod can do!

šŸšŖ Pod Security Admission (PSA)

What Is It?

Pod Security Admission is the actual guard that checks every Pod before letting it in. It looks at your Pod and asks: ā€œDoes this follow our rules?ā€

graph TD
    A["Pod Wants to Start"] --> B{PSA Guard Checks}
    B -->|Follows Rules| C["āœ… Pod Starts"]
    B -->|Breaks Rules| D["āŒ Pod Rejected"]

Three Actions PSA Can Take

  1. Enforce šŸ›‘ ā€” Block the Pod completely
  2. Audit šŸ“ ā€” Let it in, but write it down for review
  3. Warn āš ļø ā€” Let it in, but show a warning message

Simple Example

# Label a namespace to enforce rules
apiVersion: v1
kind: Namespace
metadata:
  name: my-secure-apps
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/audit: restricted

What happens: Any Pod in the my-secure-apps namespace MUST follow ā€œrestrictedā€ rules or it wonā€™t start!

šŸŽ­ Security Contexts

What Are They?

Security Contexts are like ID cards for your containers. They tell Kubernetes:

  • Who are you? (which user)
  • What can you do? (permissions)
  • What can you NOT do? (limits)

Pod-Level vs Container-Level

graph TD
    A["Security Context"] --> B["Pod Level"]
    A --> C["Container Level"]
    B --> D["Applies to ALL containers"]
    C --> E["Applies to ONE container"]

Key Settings

Setting What It Does Example
runAsUser Which user runs the app 1000 (not root!)
runAsGroup Which group the user belongs to 3000
runAsNonRoot Prevent running as admin true
readOnlyRootFilesystem Canā€™t change system files true
fsGroup Group for shared storage 2000

Simple Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
  - name: app
    image: myapp
    securityContext:
      runAsNonRoot: true
      readOnlyRootFilesystem: true

Why this matters: Even if bad code runs, it canā€™t mess with important files because itā€™s just a regular user, not the boss!

šŸ”§ Container Capabilities

What Are They?

Linux has superpowers called capabilities. Instead of being ā€œall-powerfulā€ or ā€œpowerless,ā€ you can pick exactly which powers a container gets.

Think of it like a superhero toolkit:

  • šŸ”Ø NET_BIND_SERVICE ā€” Can use special network ports
  • šŸ”“ CHOWN ā€” Can change file owners
  • āš” SYS_ADMIN ā€” Super dangerous! Almost like being root

The Golden Rule

Drop ALL capabilities, then add only what you need!

Simple Example

apiVersion: v1
kind: Pod
metadata:
  name: minimal-powers-pod
spec:
  containers:
  - name: web
    image: nginx
    securityContext:
      capabilities:
        drop:
          - ALL
        add:
          - NET_BIND_SERVICE

What this does: The container canā€™t do ANYTHING special, except bind to port 80/443. Thatā€™s exactly what a web server needsā€”nothing more!

Common Capabilities to Know

Capability What It Does Keep or Drop?
NET_BIND_SERVICE Bind to ports < 1024 Keep if web server
CHOWN Change file ownership Usually drop
SETUID/SETGID Change user/group Usually drop
SYS_ADMIN Almost everything ALWAYS drop!
NET_RAW Raw network packets Usually drop

šŸ”‡ Seccomp Profiles

What Is Seccomp?

Seccomp (Secure Computing Mode) is like a list of allowed phone calls your container can make to the computerā€™s brain (kernel).

Your container: ā€œHey computer, I want to read a file!ā€ Seccomp: ā€œLet me check my listā€¦ āœ… OK, thatā€™s allowed.ā€

Your container: ā€œHey computer, I want to reboot you!ā€ Seccomp: ā€œLet me checkā€¦ āŒ NOPE! Not on the list!ā€

graph TD
    A["Container Wants Something"] --> B{Seccomp Filter}
    B -->|On Allowed List| C["āœ… Request Granted"]
    B -->|Not Allowed| D["āŒ Request Blocked"]

Three Types of Profiles

Type What It Does
Unconfined No filtering (dangerous!)
RuntimeDefault Use the container runtimeā€™s safe defaults
Localhost Use a custom profile you created

Simple Example

apiVersion: v1
kind: Pod
metadata:
  name: seccomp-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp

Why this matters: Even if an attacker gets into your container, they can only make ā€œphone callsā€ that are on the approved list!

šŸƒ RuntimeClass

What Is It?

RuntimeClass lets you choose different container engines for different workloads. Itā€™s like choosing between different types of cars for different jobs.

graph TD
    A["RuntimeClass"] --> B["gVisor - Extra Sandbox"]
    A --> C["Kata Containers - Mini VMs"]
    A --> D["Default - Normal Containers"]

When Would You Use This?

  • Running untrusted code? ā†’ Use gVisor or Kata (extra isolation)
  • Need maximum performance? ā†’ Use default runtime
  • Processing sensitive data? ā†’ Use a hardened runtime

Simple Example

# First, create a RuntimeClass
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: secure-runtime
handler: runsc  # gVisor handler
---
# Then use it in your Pod
apiVersion: v1
kind: Pod
metadata:
  name: sandboxed-pod
spec:
  runtimeClassName: secure-runtime
  containers:
  - name: untrusted-app
    image: some-app

Why this matters: If youā€™re running code you donā€™t fully trust, you can put it in an extra-strong sandbox!

šŸšØ Admission Controllers

What Are They?

Admission Controllers are like bouncers at a club. When you try to create or change something in Kubernetes, they check if itā€™s allowed.

graph TD
    A["You: Create Pod"] --> B["API Server"]
    B --> C{Admission Controllers}
    C -->|All Say Yes| D["āœ… Pod Created"]
    C -->|One Says No| E["āŒ Rejected"]

Two Types

Type When It Runs What It Does
Mutating First Can change your request
Validating Second Can only accept or reject

How They Work Together

  1. You submit a Pod request
  2. Mutating controllers run ā†’ might add security defaults
  3. Validating controllers run ā†’ check if everything is OK
  4. If all pass ā†’ Pod is created!

šŸ—ļø Built-in Admission Controllers

Kubernetes comes with many admission controllers already installed. Here are the security-related ones:

PodSecurity

The star of the show! Enforces Pod Security Standards.

# Enabled by default in Kubernetes 1.25+
# Configured via namespace labels
pod-security.kubernetes.io/enforce: restricted

LimitRanger

Sets default limits if you forget to add them.

apiVersion: v1
kind: LimitRange
metadata:
  name: default-limits
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "256Mi"
    type: Container

ServiceAccount

Automatically mounts service account tokens. Important: You might want to disable this for security!

apiVersion: v1
kind: Pod
spec:
  automountServiceAccountToken: false

NodeRestriction

Stops nodes from modifying things they shouldnā€™t. Kubelets can only modify their own nodeā€™s objects.

AlwaysPullImages

Forces images to be pulled every time (prevents using cached malicious images).

Security-Related Controllers Summary

Controller What It Does
PodSecurity Enforces PSS levels
LimitRanger Sets resource defaults
ServiceAccount Manages service tokens
NodeRestriction Limits node permissions
AlwaysPullImages Forces fresh image pulls
DenyServiceExternalIPs Blocks external IP services

šŸŽÆ Putting It All Together

Hereā€™s a super-secure Pod using everything we learned:

apiVersion: v1
kind: Pod
metadata:
  name: fortress-pod
spec:
  runtimeClassName: secure-runtime
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: secure-app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
    resources:
      limits:
        cpu: "500m"
        memory: "128Mi"

šŸ§  Remember This!

graph TD
    A["Pod Security"] --> B["Standards - The Rules"]
    A --> C["Admission - The Guard"]
    A --> D["Context - The ID Card"]
    A --> E["Capabilities - The Powers"]
    A --> F["Seccomp - The Filter"]
    A --> G["RuntimeClass - The Engine"]
    A --> H["Controllers - The Bouncers"]

The Security Sandwich:

  1. šŸž Standards define WHAT is safe
  2. šŸ„¬ Admission checks BEFORE entry
  3. šŸ§€ Context sets WHO can do WHAT
  4. šŸ… Capabilities limit SUPERPOWERS
  5. šŸ„“ Seccomp filters SYSTEM CALLS
  6. šŸž RuntimeClass chooses the ENGINE

šŸš€ Youā€™ve Got This!

You now understand how Kubernetes keeps your containers safe:

  • Pod Security Standards = The rulebook (Privileged, Baseline, Restricted)
  • Pod Security Admission = The guard checking the rulebook
  • Security Contexts = ID cards for containers
  • Capabilities = Specific superpowers (drop them all!)
  • Seccomp = System call filter
  • RuntimeClass = Choose your container engine
  • Admission Controllers = Bouncers at every door

Your containers are now as safe as a treasure in a dragon-guarded castle! šŸ°šŸ‰

Remember: Security isnā€™t about making things impossibleā€”itā€™s about making sure everything only does what it needs to do. Nothing more, nothing less!

Loading story...

Story - Premium Content

Please sign in to view this story and start learning.

Upgrade to Premium to unlock full access to all stories.

Sign In to Access Get Premium Access Close

Stay Tuned!

Story is coming soon.

Story Preview

Story - Premium Content

Please sign in to view this concept and start learning.

Upgrade to Premium to unlock full access to all content.

Sign In to Access Get Premium Access Close