Pod-Level Security Context Configuration

Q: Pod-Level Security Context Configuration

## Pod Security Context Explained Kubernetes security contexts define privilege and access control at two levels: the pod level and the container level. Pod-level settings apply to all containers, while container-level settings can override or add to them. ### Example with Proper Security Context yaml apiVersion: apps/v1 kind: Deployment metadata: name: secure-app labels: app: secure spec: replicas: 2 selector: matchLabels: app: secure template: metadata: lab

Validate security context settings at both pod and container levels. Learn best practices for securityContext, capabilities, and read-only filesystems.

Security

Detailed Explanation

Pod Security Context Explained

Kubernetes security contexts define privilege and access control at two levels: the pod level and the container level. Pod-level settings apply to all containers, while container-level settings can override or add to them.

Example with Proper Security Context

apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-app
  labels:
    app: secure
spec:
  replicas: 2
  selector:
    matchLabels:
      app: secure
  template:
    metadata:
      labels:
        app: secure
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: app
          image: myapp:2.1.0
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 256Mi
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080

Security Context Fields

Pod level (spec.securityContext):

Field	Purpose
`runAsNonRoot`	Prevents containers from running as root
`runAsUser` / `runAsGroup`	Sets the UID/GID for all containers
`fsGroup`	Sets group ownership for mounted volumes
`seccompProfile`	Restricts system calls
`sysctls`	Sets kernel parameters

Container level (containers[].securityContext):

Field	Purpose
`allowPrivilegeEscalation`	Prevents child processes from gaining privileges
`readOnlyRootFilesystem`	Makes the container filesystem read-only
`capabilities`	Fine-grained Linux capability control
`privileged`	Grants full host access (avoid!)

Recommended Configuration

For most workloads, use this baseline:

runAsNonRoot: true at pod level
allowPrivilegeEscalation: false at container level
readOnlyRootFilesystem: true when possible
capabilities.drop: ["ALL"] and only add back specific ones needed

Use Case

Configuring security contexts for production workloads that need to meet Pod Security Standards at the Restricted level. Essential for multi-tenant clusters and regulated environments.

Try It — K8s Manifest Validator

Open full tool →