Running containers securely is a critical aspect of managing containerized environments. This article delves deep into running a container with the `runAsNonRoot` setting and adding capabilities, which are two effective techniques for ensuring safety and security. We'll discuss their functionality, how to implement them, and provide examples for a better understanding.

Understanding `runAsNonRoot`

When you operate containers, they usually run as the root user by default. This can lead to potential security risks if the container is compromised, as it will have root privileges on the host system as well. Running containers with `runAsNonRoot` is a strategic decision to mitigate these risks by ensuring that the container operates under a non-root user.

Technical Explanation

• Security Context: The security context in Kubernetes defines privilege and access control settings for a Pod or Container. It contains several settings that influence how containers are run in terms of privileges.
• `runAsNonRoot`: This attribute, when set to `true`, ensures that the container does not have root user privileges. The container's image must specify a non-root user, which prevents the container from starting if it's not properly set.

Example

In a Kubernetes Pod manifest, you would specify `runAsNonRoot` within the security context like this:

• name: my-container
• User Setup: Ensure that the container image is set up with a user that does not have root privileges.
• Permissions: The application inside the container must be adjusted to operate with the permissions of the specified non-root user.
• Capabilities: Rather than giving full root powers, capabilities allow processes to perform specific privileged operations. For instance, the `CAP_NET_BIND_SERVICE` capability allows binding to ports lower than 1024.
• SecurityContext.capabilities: You can add or drop specific capabilities to control the permitted actions for processes within the container.
  • name: my-container
• Minimalism: Only add the capabilities that are absolutely necessary.
• Test and Verify: After setting capabilities, perform thorough testing to ensure that the container operates as expected and does not inadvertently have excessive permissions.