Try Kubernetes

Get Started

Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.

Documentation

Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even help contribute to the docs!

Community

If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.

Blog

Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.

Interested in hacking on the core Kubernetes code base?

View On Github

Explore the community

Documentation for Kubernetes v1.4 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Edit This Page

A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. See security context design for more details.

There are two levels of security context: pod level security context, and container level security context.

Pod Level Security Context

Setting security context at the pod applies those settings to all containers in the pod

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
  # specification of the pod’s containers
  # ...
  securityContext:
    fsGroup: 1234
    supplementalGroups: [5678]
    seLinuxOptions:
      level: "s0:c123,c456"

Please refer to the API documentation for a detailed listing and description of all the fields available within the pod security context.

Volume Security context

Another functionality of pod level security context is that it applies those settings to volumes where applicable. Specifically fsGroup and seLinuxOptions are applied to the volume as follows:

`fsGroup`

Volumes which support ownership management are modified to be owned and writable by the GID specified in fsGroup. See the Ownership Management design document for more details.

`selinuxOptions`

Volumes which support SELinux labeling are relabled to be accessible by the label specified unders seLinuxOptions. Usually you will only need to set the level section. This sets the SELinux MCS label given to all containers within the pod as well as the volume.

Attention: Once the MCS label is specified in the pod description all pods with the same label will able to access the volume. So if interpod protection is needed you must ensure each pod is assigned a unique MCS label.

Container Level Security Context

Container level security context settings are applied to the specific container and override settings made at the pod level where there is overlap. Container level settings however do not affect the pod’s volumes.

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
    - name: hello-world-container
      # The container definition
      # ...
      securityContext:
        privileged: true
        seLinuxOptions:
          level: "s0:c123,c456"

Please refer to the API documentation for a detailed listing and description of all the fields available within the container security context.

Create an Issue Edit this Page