This topic describes how to configure a security context and define permissions and access control settings for an elastic container instance or a container.
Background information
Security contexts define permissions and access control settings for elastic container instances or containers. Examples of security context settings include Discretionary Access Control, Security Enhanced Linux (SELinux), and Linux Capabilities. For more information, see Configure a Security Context for a Pod or Container.
You can configure security contexts at the following levels:
Instances
Elastic Container Instance allows you to modify sysctl parameters by configuring a security context for an instance. The security settings that you specify for an instance apply to all containers and volumes in the instance.
Containers
Elastic Container Instance allows you to modify the runAsUser and capabilities parameters by configuring a security context for a container. The security settings that you specify for a container apply only to the specified container.
Configure a security context for an instance
Feature description
In a Linux system, you can modify runtime kernel parameters by using the sysctl interface. You can view the kernel parameters of an elastic container instance by running the following command. For more information, see sysctl.sh.
sysctl -a
You can modify the sysctl and runAsUser parameters by configuring a security context for a pod.
To avoid instability in the operating system, you must fully understand the impacts of sysctl parameter modifications before you proceed. For more information, see sysctl.
The following sysctl parameters can be modified in Elastic Container Instance:
kernel.shm*
kernel.msg*
kernel.sem
fs.mqueue.*
net.* (except net.ipv4.tcp_syncookies)
vm.min_free_kbytes
We recommend that you specify a value for vm.min_free_kbytes that is not greater than 20% of the total memory size.
Configuration description
When you call the CreateContainerGroup API operation to create an elastic container instance, you can use SecurityContext.Sysctl-related parameters or HostSecurityContext.Sysctl-related parameters to configure a security context for the instance. SecurityContext.Sysctl-related parameters are used to modify safe sysctls, and HostSecurityContext.Sysctl-related parameters are used to modify unsafe sysctls. The following table describes the relevant parameters. For more information, see CreateContainerGroup.
Parameter | Type | Example | Description |
SecurityContext.Sysctl.N.Name | string | net.ipv4.ping_group_range | The name of the safe sysctl when you modify sysctls by configuring a security context. Valid values:
|
SecurityContext.Sysctl.N.Value | string | 1 | The value of the safe sysctl when you modify sysctls by configuring a security context. |
HostSecurityContext.Sysctl.N.Name | string | kernel.msgmax | The name of the unsafe sysctl when you modify sysctls by configuring a security context. Valid values:
|
HostSecurityContext.Sysctl.N.Value | string | 65536 | The value of the unsafe sysctl when you modify sysctls by configuring a security context. |
Configure a security context for a container
Feature description
You can configure a security context for a specified container. The following table describes the parameters supported by Elastic Container Instance.
Parameter | Description |
runAsUser | The ID of the user who runs the container. The parameter settings override the USER command in the Dockerfile. |
runAsGroup | The user group that runs the container. |
runAsNonRoot | Specifies whether the user runs the container as a non-root user. Valid values: true or false. Default value: false. |
privileged | Specifies whether the container is run in privileged mode. A value of true specifies that the container is run in privileged mode. Default value: false. Note The privileged container feature is in internal preview. To use the feature, submit a ticket. |
capabilities | The permissions that are granted to processes in the container. For more information, see Linux capabilities. You can configure the following permissions:
Note You cannot grant the SYS_RAWIO permission to processes. To use SYS_RAWIO, submit a ticket. |
The following table describes some parameters that are not supported and the default values of the parameters.
Unsupported parameters | Description |
AllowedProcMountTypes | The allowed proc mount types for the container. Default value: DefaultProcMount. |
readOnlyRootFilesystem | Species whether the root file system that the container runs is read-only. Default value: true. |
Configuration description
When you call the CreateContainerGroup API operation to create an elastic container instance, you can use Container.N.SecurityContext-related parameters to configure a security context for the container. The following table describes the relevant parameters. For more information, see CreateContainerGroup.
Parameter | Type | Example | Description |
Container.N.SecurityContext.Capability.Add.N | array | NET_ADMIN | The permissions that are granted to processes in the container. |
Container.N.SecurityContext.ReadOnlyRootFilesystem | boolean | true | Specifies whether the root file system on which the container runs is read-only. Set the value to true. |
Container.N.SecurityContext.RunAsUser | long | 1000 | The ID of the user that runs the container. |
Container.N.SecurityContextRunAsGroup | long | 3000 | The user group that runs the container. |
Container.N.SecurityContextRunAsNonRoot | boolean | true | Specifies whether to run the container as a non-root user. Default value: false. Valid values:
|
Container.N.SecurityContextPrivileged | boolean | true | Specifies whether to enable privileged mode for the container. That is, whether to run the container in privileged mode. Default value: false. Valid values:
Note The privileged container feature is in internal preview. To use the feature, submit a ticket. |
You can also configure security contexts for init containers. The parameters that you need to configure are similar to the parameters in the preceding table, but you cannot not configure the SecurityContextRunAsGroup and SecurityContextRunAsNonRoot parameters for init containers.