Support HackTricks and get benefits! Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
# Kubernetes SecurityContext(s) ## PodSecurityContext When specifying the security context of a Pod you can use several attributes. From a defensive security point of view you should consider: * To have **runASNonRoot** as **True** * To configure **runAsUser** * If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile** * Do **NOT** give **privilege** **group** access via **runAsGroup** and **supplementaryGroups** |

fsGroup
integer

|

A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume

| | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |

fsGroupChangePolicy
string

| This defines behavior of **changing ownership and permission of the volume** before being exposed inside Pod. | |

runAsGroup
integer

| The **GID to run the entrypoint of the container process**. Uses runtime default if unset. May also be set in SecurityContext. | |

runAsNonRoot
boolean

| Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. | |

runAsUser
integer

| The **UID to run the entrypoint of the container process**. Defaults to user specified in image metadata if unspecified. | |

seLinuxOptions
SELinuxOptions
More info about seLinux

| The **SELinux context to be applied to all containers**. If unspecified, the container runtime will allocate a random SELinux context for each container. | |

seccompProfile
SeccompProfile
More info about Seccomp

| The **seccomp options to use by the containers** in this pod. | |

supplementalGroups
integer array

| A list of **groups applied to the first process run in each container**, in addition to the container's primary GID. | |

sysctls
Sysctl array
More info about sysctls

| Sysctls hold a list of **namespaced sysctls used for the pod**. Pods with unsupported sysctls (by the container runtime) might fail to launch. | |

windowsOptions
WindowsSecurityContextOptions

| The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. | ## SecurityContext This context is set inside the **containers definitions**. From a defensive security point of view you should consider: * **allowPrivilegeEscalation** to **False** * Do not add sensitive **capabilities** (and remove the ones you don't need) * **privileged** to **False** * If possible, set **readOnlyFilesystem** as **True** * Set **runAsNonRoot** to **True** and set a **runAsUser** * If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile** * Do **NOT** give **privilege** **group** access via **runAsGroup.** Note that the attributes set in **both SecurityContext and PodSecurityContext**, the value specified in **SecurityContext** takes **precedence**. |

allowPrivilegeEscalation
boolean

| **AllowPrivilegeEscalation** controls whether a process can **gain more privileges** than its parent process. This bool directly controls if the no\_new\_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as **Privileged** or has **CAP\_SYS\_ADMIN** | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |

capabilities
Capabilities
More info about Capabilities

| The **capabilities to add/drop when running containers**. Defaults to the default set of capabilities. | |

privileged
boolean

| Run container in privileged mode. Processes in privileged containers are essentially **equivalent to root on the host**. Defaults to false. | |

procMount
string

| procMount denotes the **type of proc mount to use for the containers**. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. | |

readOnlyRootFilesystem
boolean

| Whether this **container has a read-only root filesystem**. Default is false. | |

runAsGroup
integer

| The **GID to run the entrypoint** of the container process. Uses runtime default if unset. | |

runAsNonRoot
boolean

| Indicates that the container must **run as a non-root user**. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. | |

runAsUser
integer

| The **UID to run the entrypoint** of the container process. Defaults to user specified in image metadata if unspecified. | |

seLinuxOptions
SELinuxOptions
More info about seLinux

| The **SELinux context to be applied to the container**. If unspecified, the container runtime will allocate a random SELinux context for each container. | |

seccompProfile
SeccompProfile

| The **seccomp options** to use by this container. | |

windowsOptions
WindowsSecurityContextOptions

| The **Windows specific settings** applied to all containers. | ## References * [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core) * [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core)
Support HackTricks and get benefits! Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**