Skip to content

Container security context

Kubernetes restricts the capabilities of containers by using SecurityContext settings. This feature advances the security in the pods running on Kubernetes.

By default we set the following securityContext in the PodSpec for the application container:

setting value
runAsUser 1069
runAsGroup 1069
allowPrivilegeEscalation false
readOnlyRootFilesystem true
runAsNonRoot true
privileged false
capabilities drop: ["all"]

Enable specific kernel capabilities

Enable specific kernel capabilities by adding the following annotation to your Application or NaisJob spec:

kind: Application
  annotations: "NET_RAW"

The annotation supports multiple values separated by comma. Not all capabilities are supported, so if you encounter issues with missing capabilities contact the nais team.

A list of capabilities can be found here

Disable read-only file system

By default, the only writable path on the file system is /tmp. If your application requires writing to another location, it is possible to enable this by setting the following annotation:

kind: Application
  annotations: "false"

Note that even though the file system is writable, the default user 1069 (or whatever you override it with) needs write permission inside the docker image.

Overriding runAsUser / runAsGroup

By default the container runs with user and group id 1069. If you need to override this for your container, you can add the following annotations to your Application.

kind: Application
  annotations: "1001" "1002"

The will default to what you specify as

Relevant information

Configure security context

Docker security best practices