Docker Security and K8 Security Contexts

We all are aware of below facts:

  1. Host (i.e. your machine) itself runs a set of processes like the docker daemon, ssh-server, os processes etc.
  2. Docker containers unlike the VMs share same linux kernel as the hosts’ but they are separated by namespaces.
  3. Container has its own namespace and host has its own.
  4. All processes run on container in fact run on host itself but in a different namespace (namespace of container).
  5. Docker container can see only see its own processes.

Process segregation in docker

Listing processes within container (by running ‘ps aux’) will show only processes running within the container.

User Segregation in docker

Docker container has a set of users: root users and a set of non-root users

`docker run --user=1000 ubuntu sleep 1000`
FROM ubuntuUSER 1000
docker build -t my-ubuntu-image .
docker run my-ubuntu-image
  1. Docker implements the set of security features that limits the capability of the root user within the container.
  2. Root user within the container is not really same as root user on host.
  3. Docker uses linux capabilities to achieve this.
  4. Root user is the most powerful user in a system and can do set of these ops: CHOWN, DAC, KILL, SETGID, SETUID, NET_ADMIN, KILL, etc.
  5. The process running as a root user too has unrestricted access of the system.
  6. Docker’s root user by default has limited capabilities, they do not have all the privileges.
  7. We can add more capabilities to the container’s user while running it:
docker run — cap-add KILL ubuntu
docker run — cap-drop MAC_ADMIN ubuntu
docker run — privileged ubuntu

Conclusion

So we can infer that the users and processes are segregated between docker containers and the host. Docker employs a set of security measures to ensure that.

  1. Configuring user id of a container, adding/removing privileges of a user in a k8 is also possible
  2. Security settings can be configured at both container and pod level.
  3. If we set at pod level the settings will be applied to all containers within pod.
  4. If we set at both pod and container level, then settings of container level will take precedence over pod settings.
  5. Lets take a peek at K8 Pod declaratives:
apiVersion: v1
kind: Pod
metadata:
name: web-app
spec:
securityContext:
runAsUser: 1000 #all containers within this pod will run with user id 1000
containers:
- name: ubuntu
image: ubuntu
command: [“sleep”, “1000”]
securityContext:
runAsUser: 2000 #the user id for this container would be 2000 overriding 1000
capabilities:
add: [“MAC_ADMIN”, “KILL”]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hitesh Pattanayak

Hitesh Pattanayak

Senior Consultant @ Thoughtworks | 6.5 years of experience | Polyglot | Backend Developer | Kubernetes and AWS practitioner | Finance Enthusiast