Thomas' Notes

Contents:

  • Introduction
  • Software Requirements
  • Infrastructure
  • Application Platform
  • Docker
  • Kubernetes
    • Introducing Kubernetes
    • Kubernetes Glossary
    • Kubernetes Concepts
    • Kubernetes Commands
    • Kubernetes yaml file examples
      • Networking YAML Files
      • Configuration YAMLs
      • Batch and Cron Jobs
      • Security related YAMLs
        • Pod level Security Context
        • Container level Security Context
        • Nginx https server
      • Deployment and Pod / Node Selection
      • Persistent Volumes
      • Basic Kubernetes YAML Structure
      • Basic Pod YAML file
    • Azure Kubernetes Deployment
    • Kubernetes On-Prem Installation
    • Common Kubernetes Questions
    • Kubernetes Exercises
  • Ansible
  • JavaScript
  • Java
  • Python
  • Enterprise Integration
  • DevOps
  • IT Security
  • Artificial Intelligence
  • Data
  • Project Management
  • Non Technical Stuff
Thomas' Notes
  • Kubernetes
  • Kubernetes yaml file examples
  • Security related YAMLs

Security related YAMLs

Pod level Security Context

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  securityContext:
    runAsUser: 1000               # To run this pod as user id 1000
  containers:
  - name: ubuntu
    image: ubuntu
    command: ["sleep", "3600"]

The pod definition above allows the pod to be run as user id 1000 instead of the default root user.

Container level Security Context

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  containers:
  - name: ubuntu
    image: ubuntu
    command: ["sleep", "3600"]
    securityContext:
      runAsUser: 1000             # To run this container as user id 1000
      capabilities:               # Allow this user to change file UIDs and GIDs.
        add: ["CAP_CHOWN", "SYS_TIME"]  # Also update time.

The pod definition above allows the container to be run as user id 1000 instead of the default root user.

Nginx https server

Configuration Setup

Please see Self Signed HTTPS key on how to create the necessary private key and https certificate.

  • $ kubectl create secret generic ng-secret --from-file=https.key --from-file=https.key to place the private key and https certificates in the ng-secret secrets.

apiVersion: v1
kind: ConfigMap
metadata:
  name: ng-config
data:
  my-nginx-config.conf: |
    server {
        listen                80;
        listen                443 ssl;
        server_name           nginx.bigtom.local;

        ssl_certificate       certs/https.cert;
        ssl_certificate_key   certs/https.key;
        ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
    }

The file provided above creates the nginx configuration in the ng-config ConfigMap so that it can be mounted as a file into the pod. Note that the configuration map could also have been created imperatively with kubectl create cm nginx-config --from-file=nginx.config assuming the above configuration string is in the nginx.config file.

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-deploy
  name: nginx-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-deploy
  template:
    metadata:
      labels:
        app: nginx-deploy
    spec:
      volumes:
        - name: ng-vol-secret
          secret:
            secretName: ng-secret
        - name: ng-vol-config
          configMap:
            name: ng-config
      containers:
      - image: nginx:alpine
        name: nginx
        volumeMounts:
          - name: ng-vol-secret
            mountPath: /etc/nginx/certs/
            readOnly: true
          - name: ng-vol-config
            mountPath: /etc/nginx/conf.d/
            readOnly: true
        ports:
          - containerPort: 80
          - containerPort: 443

The yaml deployment file is a https nginx deployment using the secrets from ng-secrets and configuration from ng-config.

For Network Security, see Network Policy yaml.

Previous Next

© Copyright 2024, Big Tom. Updated Dec 2024.

Built with Sphinx using a theme provided by Read the Docs.