einfra logoDocumentation
Kubernetes

Security Context

Kubernetes version 1.25 is approaching. We will upgrade to this version by the beginning of July 2023. Starting with this release, PSP is deprecated and will be removed. Instead of PSP, PSA will be used. Although this change is primarily a matter of Kubernetes administration and not directly related to users, some user action is still required.

PSP has been a mutating security policy, which means that any missing security options in the deployment manifest were automatically injected into the manifest, and users typically did not notice the changes. PSA is only a validating policy, so any required security options must be added by the user before deployment.

All security options are specified in the securityContext. There are two security contexts: (1) Pod security context and (2) Container security context. The Pod security context is at the same level as the containers, while the Container security context is inside each container of the pod.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
    spec:
      securityContext: # Pod security context
        fsGroupChangePolicy: OnRootMismatch
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - image: ubuntu
        name: example
        securityContext: # Container security context
          runAsUser: 1000
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

The important new options for the Pod security context are the following:

runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

fsGroupChangePolicy: OnRootMismatch is not required but strongly recommended to avoid problems when attaching PVCs.

The important new options for the Container security context are the following:

allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL

Without all these important options, Deployments, DaemonSets, CronJobs, Jobs, and Pods will fail after the upgrade. All options can be added now.

If running any CERIT-SC application from Rancher, upgrade to the latest version. This can be done now.

Last updated on

publicity banner

On this page

No Headings
einfra banner