Hardening Pods with securityContext
Baking least-privilege defaults into templates.
Why Harden by Default
A chart that ships least-privilege defaults protects every cluster that installs it. Security baked into templates beats hoping users remember to add it.
Two Levels of securityContext
You can set a securityContext at the pod level for all containers, and a narrower one per container. The container setting overrides the pod for that container.
All lessons in this course
- Standard Labels and Naming Conventions
- Sane, Documented Default Values
- Hardening Pods with securityContext
- Pinning Versions and Avoiding latest