Security related YAMLs
Pod level Security Context
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
securityContext:
runAsUser: 1000 # To run this pod as user id 1000
containers:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]
The pod definition above allows the pod to be run as user id 1000 instead of the default root user.
Container level Security Context
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- name: ubuntu
image: ubuntu
command: ["sleep", "3600"]
securityContext:
runAsUser: 1000 # To run this container as user id 1000
capabilities: # Allow this user to change file UIDs and GIDs.
add: ["CAP_CHOWN", "SYS_TIME"] # Also update time.
The pod definition above allows the container to be run as user id 1000 instead of the default root user.
Nginx https server
Configuration Setup
Please see Self Signed HTTPS key on how to create the necessary private key and https certificate.
$ kubectl create secret generic ng-secret --from-file=https.key --from-file=https.key
to place the private key and https certificates in theng-secret
secrets.
apiVersion: v1
kind: ConfigMap
metadata:
name: ng-config
data:
my-nginx-config.conf: |
server {
listen 80;
listen 443 ssl;
server_name nginx.bigtom.local;
ssl_certificate certs/https.cert;
ssl_certificate_key certs/https.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
The file provided above creates the nginx configuration in the ng-config
ConfigMap so that it can be mounted as a file into the pod. Note that the configuration map could also have been created imperatively with kubectl create cm nginx-config --from-file=nginx.config
assuming the above configuration string is in the nginx.config
file.
Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-deploy
name: nginx-deploy
spec:
replicas: 1
selector:
matchLabels:
app: nginx-deploy
template:
metadata:
labels:
app: nginx-deploy
spec:
volumes:
- name: ng-vol-secret
secret:
secretName: ng-secret
- name: ng-vol-config
configMap:
name: ng-config
containers:
- image: nginx:alpine
name: nginx
volumeMounts:
- name: ng-vol-secret
mountPath: /etc/nginx/certs/
readOnly: true
- name: ng-vol-config
mountPath: /etc/nginx/conf.d/
readOnly: true
ports:
- containerPort: 80
- containerPort: 443
The yaml deployment file is a https nginx deployment using the secrets from ng-secrets
and configuration from ng-config
.
For Network Security, see Network Policy yaml.