Container should be able to perform only a very limited set of operations and it is highly recommended to use different user from root. To achieve this both docker file and kubernetes config must be changed.
Create non-root container
Docker containers run by default with root privileges. Changing the configuration limits the processes that can be executed and adds an extra layer of security.
RUN addgroup --gid 3000 --system juffgroup \
&& adduser --uid 2000 --system --ingroup juffgroup juffuser
CMD [ "node", "dist/index.js" ]
securityContext for Pod
When you want to ensure that no root container will run in your Kubernetes cluster, you can use
securityContext for this. If you set
true, Kubernetes will check either
runAsUser setting (also under
USER directive defined in the image (must use numeric UID).
And while we are working with these settings, let's set other recommended policies straight away.
Containers are by default allowed to create, download or modify files. This can be misused by potential attacker. To prevent this, set
true and the filesystem of the container is read-only. If your application needs to write into filesystem, it is recommended to mount secondary filesystem.
Remove all unnecessary capabilities unless the application really needs it with
capabilities setting. You can then add a specific capability if needed.
# app, tier, environment, ...
- name: node-express-kubernetes-example-application
- containerPort: 3001
# liveness probe settings
# readiness probe settings
You can find working example here with basic Node application and k8s configs.