Pods and containers should apply a security context Affecting Kubernetes (Container) Engine service in Kubernetes
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00659
- creditSnyk Research Team
Description
A security context controls a variety of settings for access control, Linux capabilities, and privileges. The security context may be set at the pod or the container level. Reference the Kubernetes documentation for specific recommendations for each setting.
How to fix?
Ensure a securityContext is specified at the pod or container level.
Example Configuration
apiVersion: v1
kind: Pod
metadata:
name: valid2
spec:
containers:
- name: mycontainer
image: redis
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 0
runAsUser: 0
Ensure a securityContext is specified at the pod or container level.
Example Configuration
resource "kubernetes_pod" "allowed1" {
metadata {
name = "example-pod"
}
spec {
security_context {
run_as_user = 10000
}
container {
name = "example-container"
image = "nginx:latest"
port {
container_port = 80
}
}
}
}
resource "kubernetes_pod" "allowed2" {
metadata {
name = "example-pod1"
}
spec {
container {
name = "example-container1"
image = "nginx:latest"
security_context {
run_as_user = 10000
}
port {
container_port = 80
}
}
}
}