Saturday, April 17, 2021

DevSecOps: Runing ASP .NET Core Applications with minimal privileges in Kubernetes

 


Configure podSecurityContext

Configure the pod to run as nobody/nogroup user as follows:

podSecurityContext
  runAsUser65534
  fsGroup65534



Configure SecurityContext

Configure security context to run with minimal possible privileges:

securityContext
  capabilities:
    drop:
    - ALL
    add
    - "NET_ADMIN"
  readOnlyRootFilesystemfalse
  runAsNonRoottrue
  runAsUser65534 # run as the nobody/nogroup user



Run on non standard port

Since we do not have permission to run ports lower tan 1024 (normally assigned by adding capability NET_BIND_SERVICE but this requires root privileges) we have to configure ASP .Net Core to listen to a port above 1024.

env:
nameASPNETCORE_URLS
    valuehttp://+:8080



No comments:

Post a Comment