Saturday, April 17, 2021

DevSecOps: Runing ASP .NET Core Applications with minimal privileges in Kubernetes


Configure podSecurityContext

Configure the pod to run as nobody/nogroup user as follows:


Configure SecurityContext

Configure security context to run with minimal possible privileges:

    - ALL
    - "NET_ADMIN"
  runAsUser65534 # run as the nobody/nogroup user

Run on non standard port

Since we do not have permission to run ports lower tan 1024 (normally assigned by adding capability NET_BIND_SERVICE but this requires root privileges) we have to configure ASP .Net Core to listen to a port above 1024.


No comments:

Post a Comment