Docker Security and K8 Security Contexts
Before diving into the concepts of docker security lets understand a few basic things about how docker runs applications.
We all are aware of below facts:
- Host (i.e. your machine) itself runs a set of processes like the docker daemon, ssh-server, os processes etc.
- Docker containers unlike the VMs share same linux kernel as the hosts’ but they are separated by namespaces.
- Container has its own namespace and host has its own.
- All processes run on container in fact run on host itself but in a different namespace (namespace of container).
- Docker container can see only see its own processes.
Process segregation in docker
Listing processes within container (by running ‘ps aux’) will show only processes running within the container.
Whereas listing processes within the host (by running ‘ps aux’) will show processes of its own as well as process in other namespaces (processes within containers).
User Segregation in docker
Docker container has a set of users: root users and a set of non-root users
By default, docker runs processes within container as root users
User can be changed, user can be set using while running docker using the ‘user’ flag:
`docker run --user=1000 ubuntu sleep 1000`
Another way to set user is creating a custom image from an existing image and setting used in the docker file itself
FROM ubuntuUSER 1000
building the above custom image:
docker build -t my-ubuntu-image .
run the image w/o specifying the user:
docker run my-ubuntu-image
If we run container as a root user, is it not dangerous?
- Docker implements the set of security features that limits the capability of the root user within the container.
- Root user within the container is not really same as root user on host.
- Docker uses linux capabilities to achieve this.
- Root user is the most powerful user in a system and can do set of these ops: CHOWN, DAC, KILL, SETGID, SETUID, NET_ADMIN, KILL, etc.
- The process running as a root user too has unrestricted access of the system.
- Docker’s root user by default has limited capabilities, they do not have all the privileges.
- We can add more capabilities to the container’s user while running it:
docker run — cap-add KILL ubuntu
8. We can drop capabilities of the container’s user while running it:
docker run — cap-drop MAC_ADMIN ubuntu
9. We can run container with all privileges as well:
docker run — privileged ubuntu
So we can infer that the users and processes are segregated between docker containers and the host. Docker employs a set of security measures to ensure that.
How does this translate into K8 world
- Configuring user id of a container, adding/removing privileges of a user in a k8 is also possible
- Security settings can be configured at both container and pod level.
- If we set at pod level the settings will be applied to all containers within pod.
- If we set at both pod and container level, then settings of container level will take precedence over pod settings.
- Lets take a peek at K8 Pod declaratives:
runAsUser: 1000 #all containers within this pod will run with user id 1000
- name: ubuntu
command: [“sleep”, “1000”]
runAsUser: 2000 #the user id for this container would be 2000 overriding 1000
add: [“MAC_ADMIN”, “KILL”]