When you set up a deployment, you can append a securityContext to your containers. You can use a security context to lock down your containers.
spec: template: spec: containers: - name: your-container securityContext: runAsUser: 1001 runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - all add: - NET_BIND_SERVICE
- runAsUser: Sets the UID to run as. Note this doesn't need to exist on the nodes or anything, just set it to an arbetrary number
- runAsNonRoot: True or False. Self Explanitory
- readOnlyRootFilesystem: True or False. Self Explanitory
- allowPrivilegeEscalation: True or False. Lets you use sudo or something similar to elevate your privileges within the container.
- capabilities: You would usually want to drop all capabilities, and just add the ones you need. NET_BIND_SERVICE is almost always needed if you're binding to a port. Here's a list of the Kubernetes capabilities, and how they map to Linux capabilities