Cyber Intelligence
PROTEGO
Pod Security and Workload Hardening · Workload hardening

L8. Security Contexts: runAsNonRoot, Capabilities and Seccomp

Video generating

Check back soon for the video lesson on Security Contexts: runAsNonRoot, Capabilities and Seccomp

Security contexts control the Linux-level security settings of containers. Learn how to configure runAsNonRoot, drop capabilities, apply seccomp profiles, and enforce read-only filesystems.

What Is a Security Context?

A security context defines privilege and access control settings for a pod or container. It maps directly to Linux kernel security features: user IDs, capabilities, seccomp filters, and filesystem permissions.

Security contexts can be set at two levels:

  • Pod level: Applies to all containers in the pod (plus init containers)
  • Container level: Overrides pod-level settings for a specific container

runAsNonRoot and runAsUser

Running containers as root is the single most common Kubernetes security mistake. A root user inside a container has UID 0, which maps to root on the host in many container escape scenarios. 

spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  containers:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: app</li>
</ul>
      image: my-app:latest
      securityContext:
        allowPrivilegeEscalation: false
runAsNonRoot: true makes Kubernetes reject the pod if the container image specifies USER root or UID 0. runAsUser: 1000 explicitly sets the UID.

Linux Capabilities

Linux capabilities break root privileges into granular units. Instead of granting full root, you can assign specific capabilities like NET_BIND_SERVICE (bind to ports below 1024).

The secure approach: drop all capabilities and add back only what is needed: 

containers:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: app</li>
</ul>
    securityContext:
      capabilities:
        drop:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">ALL</li>
</ul>
        add:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">NET_BIND_SERVICE</li>
</ul>

Dangerous capabilities to never grant unless absolutely necessary:

  • SYS_ADMIN: Nearly equivalent to full root
  • SYS_PTRACE: Allows process inspection and manipulation
  • NET_RAW: Enables raw socket creation (used in ARP spoofing)
  • SYS_MODULE: Allows loading kernel modules

Seccomp Profiles

Seccomp (Secure Computing) filters restrict which Linux system calls a container can make. The RuntimeDefault profile blocks approximately 50 dangerous syscalls while allowing normal application behavior: 

securityContext:
  seccompProfile:
    type: RuntimeDefault

For stricter control, create custom seccomp profiles that whitelist only the specific syscalls your application uses. Tools like strace and inspektor-gadget can profile your application to generate a minimal syscall list.

Read-Only Root Filesystem

Prevent containers from writing to their filesystem. This blocks many post-exploitation techniques like dropping malware binaries or modifying configuration files: 

containers:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: app</li>
</ul>
    securityContext:
      readOnlyRootFilesystem: true
    volumeMounts:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: tmp</li>
</ul>
        mountPath: /tmp
volumes:
<ul class="list-disc pl-6 mb-4 space-y-2">
<li class="text-slate-300">name: tmp</li>
</ul>
    emptyDir: {}

Use emptyDir volumes for directories that need to be writable (like /tmp).

Exam Focus Points
  • Running containers as root (UID 0) is the most common Kubernetes security mistake: always set runAsNonRoot: true
  • Drop ALL capabilities and add back only specific ones needed (like NET_BIND_SERVICE)
  • SYS_ADMIN capability is nearly equivalent to full root and should almost never be granted
  • The RuntimeDefault seccomp profile blocks approximately 50 dangerous syscalls while allowing normal application behavior
  • Read-only root filesystems block post-exploitation techniques: use emptyDir volumes for writable directories like /tmp
Knowledge Check

1. What does runAsNonRoot: true do if the container image specifies USER root?

2. Which Linux capability is nearly equivalent to full root access?

3. How do you allow a container to write to /tmp while using readOnlyRootFilesystem: true?

Sign in to track progress
Secrets Management: Native Secrets, Sealed Secrets and Vault