Docker Security

By default, the container's entrypoint is ran by root. You can overwrite it by using the --user option:

docker container run --user=1001 ubuntu sleep 3600

Linux capabilities are listed in /usr/include/linux/capability.h

A docker container has, by default, not all capabilities enabled. You can enable them individually with the --cap-add option. Example:

docker container run --cap-add MAC_ADMIN ubuntu

You can drop them with --cap-drop option:

docker container run --cap-drop KILL ubuntu

If you want all privileges enabled, use the --privileged flag:

docker container run --privileged ubuntu

Security Context

The docker security features mentioned above can be used in the pod's definition file as well, via securityContext

You can decide if you want to set the securityContext in the pod's level (pod.spec.securityContext) or individual containers' level (pod.spec.containers.securityContext)

Example:

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  containers:
    - name: ubuntu
      image: ubuntu
      command: ["sleep", "3600"]
      securityContext:
        runAsUser: 1000
        # NOTE: capabilities are only supported at container's level
        capabilities:
          add: ["MAC_ADMIN"]
On this page
Pages mentioning this page
03-configuration