How can we make sure at the node level that pods do not run as root user

GodsGiftedChild · July 25, 2024, 4:37pm

Hello Guys,

This is an interview question. The interviewer asked what can we do to make sure at the node level that pods do not run as root user ?

My answer was, if we run the kubernetes server and client components as a non-root user then the container it spaws will also run as a non-root user.

Is that right ? Can we run the kubernetes server and client components as a non-root user and would it spawn a non-root container if we did ?

Iggy · July 26, 2024, 6:30am

From my knowledge, this is not a true state.

There are two approaches to how you can control the level of access for the container namespace isolation towards host system calls.

podSecurityContext → holds pod-level security attributes and common container settings.
- more about this one use kubectl explain deployment.spec.template.spec.securityContext on you’re cluster side
securityContext → holds a security configuration that will be applied to a container.
- more about this one use kubectl explain deployment.spec.template.spec.containers.securityContext on you’re cluster side

NOTE: When both are set, the values in SecurityContext take precedence.

This is in high-level view, but if want to go deep into it then you can check this documentation → security-context

Topic		Replies	Views
What access can I give to kubernetes admin users, instead of root? General Discussions	0	460	March 8, 2022
Kubeadm: create Kubernetes services as non-root General Discussions	2	1745	October 19, 2020
securityContext runAsNonRoot not working General Discussions	2	2139	August 16, 2020
What does "securityContext.runAsNonRoot=true" actually prevent? General Discussions	2	1299	March 29, 2024
Help me understand the big picture around not wanting containers running inside of containers General Discussions	3	270	September 1, 2023