You can configure a security context to customize permissions and access control for a pod or container.
Background
Security contexts define permissions and access control settings for elastic container instances or containers. Examples of security context settings include Discretionary Access Control, Security Enhanced Linux (SELinux), and Linux Capabilities. For more information, see Configure a Security Context for a Pod or Container.
You can configure security contexts at the following levels:
Pod security context
Elastic Container Instance (ECI) lets you modify sysctl parameters by configuring a pod-level (instance-level) security context. These settings apply to all containers and volumes in the instance.
Container security context
ECI lets you modify the runAsUser and capabilities parameters by configuring a container-level security context. These settings apply only to the specified container.
Configure a security context for an instance
Feature description
In a Linux system, you can modify runtime kernel parameters by using the sysctl interface. You can view the kernel parameters of an elastic container instance by running the following command. For more information, see sysctl.sh.
sysctl -aYou can modify the sysctl and runAsUser parameters by configuring a security context for a pod.
To avoid instability in the operating system, you must fully understand the impacts of sysctl parameter modifications before you proceed. For more information, see sysctl.
The following sysctl parameters can be modified in Elastic Container Instance:
kernel.shm*
kernel.msg*
kernel.sem
fs.mqueue.*
net.* (except net.ipv4.tcp_syncookies)
vm.min_free_kbytes
We recommend that you specify a value for vm.min_free_kbytes that is not greater than 20% of the total memory size.
Configuration description
When you call the CreateContainerGroup operation to create an ECI instance, you can configure the instance security context using the SecurityContext.Sysctl or HostSecurityContext.Sysctl parameters. SecurityContext.Sysctl is used to modify safe sysctl parameters, and HostSecurityContext.Sysctl is used to modify unsafe sysctl parameters. The following table describes these parameters. For more information, see CreateContainerGroup.
Name | Type | Example | Description |
SecurityContext.Sysctl.N.Name | string | net.ipv4.ping_group_range | The name of the safe sysctl when you modify sysctls by configuring a security context. Valid values:
|
SecurityContext.Sysctl.N.Value | string | 1 | The value of the safe sysctl when you modify sysctls by configuring a security context. |
HostSecurityContext.Sysctl.N.Name | string | kernel.msgmax | The name of the unsafe sysctl when you modify sysctls by configuring a security context. Valid values:
|
HostSecurityContext.Sysctl.N.Value | string | 65536 | The value of the unsafe sysctl when you modify sysctls by configuring a security context. |
Configure a security context for a container
Feature description
At the container level, you can configure a security context for a specific container. The following table describes the parameters that ECI supports.
Parameter | Description |
runAsUser | The ID of the user who runs the container. The parameter settings override the USER command in the Dockerfile. |
runAsGroup | The user group that runs the container. |
runAsNonRoot | Specifies whether the user runs the container as a non-root user. Valid values: true or false. Default value: false. |
privileged | Specifies whether the container is run in privileged mode. A value of true specifies that the container is run in privileged mode. Default value: false. Note The privileged container feature is in internal preview. To use the feature, submit a ticket. |
capabilities | The permissions that are granted to processes in the container. For more information, see Linux capabilities. You can configure the following permissions:
Note You cannot grant the SYS_RAWIO permission to processes. To use SYS_RAWIO, submit a ticket. |
The following table describes some parameters that are not supported and the default values of the parameters.
Unsupported parameters | Description |
AllowedProcMountTypes | The allowed proc mount types for the container. Default value: DefaultProcMount. |
readOnlyRootFilesystem | Species whether the root file system that the container runs is read-only. Default value: true. |
Configuration description
When you call the CreateContainerGroup operation to create an elastic container instance, you can use Container.N.SecurityContext-related parameters to configure a security context for the container. The following table describes the relevant parameters. For more information, see CreateContainerGroup.
Name | Type | Example | Description |
Container.N.SecurityContext.Capability.Add.N | array | NET_ADMIN | The permissions that are granted to processes in the container. |
Container.N.SecurityContext.ReadOnlyRootFilesystem | boolean | true | Specifies whether the root file system on which the container runs is read-only. Set the value to true. |
Container.N.SecurityContext.RunAsUser | long | 1000 | The ID of the user that runs the container. |
Container.N.SecurityContextRunAsGroup | long | 3000 | The user group that runs the container. |
Container.N.SecurityContextRunAsNonRoot | boolean | true | Specifies whether to run the container as a non-root user. Default value: false. Valid values:
|
Container.N.SecurityContextPrivileged | boolean | true | Specifies whether to enable privileged mode for the container. That is, whether to run the container in privileged mode. Default value: false. Valid values:
Note The privileged container feature is in internal preview. To use the feature, submit a ticket. |
You can also configure a security context for an init container. The parameters are similar to those in the preceding table, but SecurityContextRunAsGroup and SecurityContextRunAsNonRoot are not supported.