Search code examples
dockerkubernetescontainersdocker-in-dockerrootless

How to replace `securityContext: privileged: true` in Kubernetes for DinD (docker in docker)

If we want to to build OCI container images with docker and e.g. want to the following pod setup:

apiVersion: v1
kind: Pod
metadata:
  name: dind
spec:
  containers:
    - name: build
      image: docker:23.0.1-cli
      command:
        - cat
      tty: true
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375

    - name: dind-daemon
      image: docker:23.0.1-dind-rootless
      securityContext:
        privileged: true
      resources:
        requests:
          cpu: 20m
          memory: 512Mi
      volumeMounts:
        - name: docker-graph-storage
          mountPath: /var/lib/docker
  volumes:
    - name: docker-graph-storage
      emptyDir: {}

I am wondering what the replacement is for

securityContext:
        privileged: true

since that is deprecated in kubernetes >1.25 because: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

and if its still possible to do the same as above and how?

Solution

  • As per kubernetes official API reference documentation for V 1.26 they have changed the fields for security context.

    Instead of using privileged: true they got other parameters in the latest versions. That are

    runAsUser: You can run as any user in the latest versions by using the UID of the user if your image has that user. In general the UID for root users is 0, so you can mention the UID of root user in the yaml file while creating the deployment.

    allowPrivilegeEscalation: If allowPrivilegeEscalation is set to true privileges will be escalated to the root user when required.

    runAsNonRoot: If runAsNonRoot is set to true a validation will be performed and kubernetes will stop the pod or container from starting else if it’s unset or set to false it won’t prevent root execution, provided your image is built to run as root.

    Both runAsUser and runAsNonRoot can be used if you want to execute the job or task continuously as root whereas allowPrivilegeEscalation can be used for temporarily escalating privileges. Below is the yaml example file for the latest version, use it as a reference

    apiVersion: v1
kind: Pod
metadata:
 name: security-context-demo

spec:
 securityContext:
   runAsUser: 1000
   runAsGroup: 3000
   fsGroup: 2000

 volumes:
 - name: sec-ctx-vol
   emptyDir: {}

 containers:
 - name: sec-ctx-demo
   image: busybox:1.28
   command: [ "sh", "-c", "sleep 1h" ]

   volumeMounts:
   - name: sec-ctx-vol
     mountPath: /data/demo

   securityContext:
     allowPrivilegeEscalation: false

    Note: The yaml code and the above explanation is derived from official kubernetes documentation.

    [1]https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ [2]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core