I recently stopped using Kubernetes around version 1.23 and came back to it at 1.32. The changes, especially regarding Pod Security, are really baffling to me. I got a warning saying my container 'chown-data-dir' has unrestricted capabilities and should not set certain security contexts. I'm wondering, are most people just disabling Pod Security enforcement, or are they actually configuring it properly? If anyone has tips on effectively learning to configure Pod Security, I'd love to hear them!
1 Answer
It's important to follow security best practices, like not running your container as root. We leverage tools like Kyverno and use mutating/validating webhooks based on namespaces to enforce these policies. You can also opt to ignore warnings since they aren't errors, but I recommend checking out the official Kubernetes docs on Pod Security Standards for more insight.
Could you explain why using non-root containers is so crucial? What are the risks if the root user is compromised?