Lab: Pod Security Context in EKS

  • Pod Security Context allows you to define security settings for pods and containers. In this lab, we'll create a pod with a security context that enforces a read-only root filesystem and validate its behavior.

  • List of common pod security context:

    • runAsUser: Specifies the user ID to run the container processes.
    • runAsGroup: Sets the primary group ID for the container processes.
    • runAsNonRoot: Ensures the container runs as a non-root user.
    • fsGroup: Defines the file system group ID for volume mounts.
    • supplementalGroups: Adds additional group IDs to the container's process.
    • allowPrivilegeEscalation: Prevents processes from gaining additional privileges.
    • privileged: Grants the container access to all devices on the host.
    • readOnlyRootFilesystem: Enforces the root filesystem to be read-only.
    • capabilities: Adds or drops Linux capabilities for the container.
    • seLinuxOptions: Sets SELinux labels for the container.
    • seccompProfile: Applies a seccomp profile to restrict system calls.
    • procMount: Modifies the /proc filesystem mount type.
    • sysctls: Configures namespaced kernel parameters (sysctls) for the pod.
    • windowsOptions: Specifies Windows-specific security settings.
    • appArmorProfile: Assigns an AppArmor security profile to the container.

Hands-on Lab

  • Navigate to the EKS Directory:

    cd /workspaces/ecr_eks_security_masterclass_public/eks/

  • Verify the cluster is ready:

    kubectl get nodes

  • Create a pod-security-context.yaml file:

    cat <<EOF > pod-security-context.yaml
apiVersion: v1
kind: Pod
metadata:
  name: read-only-pod
spec:
  containers:
  - name: nginx
    image: nginx:latest
    securityContext:
      readOnlyRootFilesystem: true  # Enforce read-only root filesystem
    command: ["/bin/sh", "-c", "sleep 3600"]
EOF

  • Apply the manifest to the EKS cluster:

    kubectl apply -f pod-security-context.yaml

  • Verify the pod is running:

    kubectl get pods

  • Verify Read-Only Root Filesystem:

    • Test writing to the root filesystem (denied):

      kubectl exec read-only-pod -- touch /testfile

      This command should fail because the root filesystem is read-only.

Cleanup

  • Delete the pod:

    kubectl delete pod read-only-pod