Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

K8s: what is the difference between Security Context and Security Policy?

Tags:

kubernetes

Looking into Kubernetes documentation:

  • Pod Security Policy
  • Pod Security Context

Mmmm... aren't eventually they doing the same? What is the difference?

like image 893
Illidan Avatar asked Oct 08 '18 10:10

Illidan

People also ask

What is security context in Kubernetes?

A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).

What is security context constraints?

Security context constraints allow an administrator to control: Whether a pod can run privileged containers with the allowPrivilegedContainer flag. Whether a pod is constrained with the allowPrivilegeEscalation flag. The capabilities that a container can request. The use of host directories as volumes.

What is Kubernetes pod security policy?

The Kubernetes pod security policy admission controller validates pod creation and update requests against a set of rules. By default, Amazon EKS clusters ship with a fully permissive security policy with no restrictions. For more information, see Pod Security Policies in the Kubernetes documentation.

What is SCC in Kubernetes?

The Red Hat OpenShift Container Platform (OCP) provides pod security policies using SecurityContextConstraints (SCC) resources rather than the PodSecurityPolicies (PSP) like all other Kubernetes platforms. SCCs control the actions that a pod can perform and what it has the ability to access.

1 Answers

I have no idea why folks are down-voting this question, it's spot on and actually we've got our docs to blame and not the OP. OK, here goes:

The pod security context (which is preceded by and largely based on OpenShift Security Context Constraints) allows you (as a developer?) to define runtime restrictions and/or settings on a per-pod basis.

But how do you enforce this? How do you make sure that folks are actually defining the constraints? That's where pod security policies (PSP) come into play: as a cluster or namespace admin you can define and enforce those security context-related policies using PSPs. See also the Kubernetes Security book for more details.

like image 116
Michael Hausenblas Avatar answered Oct 02 '22 16:10

Michael Hausenblas
Sign in to Comment

Related questions

Ingress controller to route TCP traffic
Pods stuck in ContainerCreating with "failed to assign an IP address to container"
How can I determine the current ephemeral-storage usage of a running Kubernetes pod?
helm getting subchart service names
POST larger than 400 Kilobytes payload to a container in Kubernetes fails
History of Kubernetes Pod Termination Events?
CertManager Letsencrypt CertificateRequest "failed to perform self check GET request"
How to use local docker containers with Kubernetes
Getting "x509: certificate signed by unknown authority" even with "--insecure-skip-tls-verify" option in Kubernetes
Access local docker images with k3s
Error loading Namespaces. Unauthorized: Verify you have access to the Kubernetes cluster
How to get a PDF/print version of kubernetes' docs?
Internal certificate used when installing Helm Tiller Kubernetes
How to use Session Affinity on requests to Kubernetes service?
Using runAsNonRoot in Kubernetes
correct way to use kubernetes watches
Kubernetes: Have no access from EKS pod to RDS Postgres
Kubernetes: No Route to Host
Restart Kubernetes API server with different options
serving static files from ingress-nginx

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!