Skip to main content

Measures

Assigning Self-Specified UIDs in Kubernetes Containers

Important Measures

Assigning self-specified UIDs to containers ensures greater isolation between container and host environments, reducing the risk of privilege escalation. This practice strengthens security by preventing UID overlaps that could be exploited by attackers.

Example YAML:

apiVersion: v1
kind: Pod
metadata:
  name: isolated-uid-pod
spec:
  containers:
    - name: my-app
      image: myapp:latest
      securityContext:
        runAsUser: 20001  # Self-specified unique UID
        runAsGroup: 20001
        fsGroup: 20001
        allowPrivilegeEscalation: false  # Ensures no privilege escalation

Isolation of User Contexts:

Assigning unique UIDs to containers ensures that even if a container is compromised, the attacker cannot inherit host-level privileges. The unique UID confines the attacker to the container's permissions.

Example YAML:

apiVersion: v1
kind: Pod
metadata:
  name: unique-user-context-pod
spec:
  securityContext:
    runAsNonRoot: true  # Ensures the container does not run as root
  containers:
    - name: app-container
      image: myapp:latest
      securityContext:
        runAsUser: 30001  # Isolated UID specific to the container
        runAsGroup: 30001
        allowPrivilegeEscalation: false

Mitigation of Privilege Escalation:

Preventing UID overlap between the host and containers is critical to avoiding privilege escalation. If a container's UID matches that of a privileged host user, breaking out of the container could grant the attacker elevated access on the host. Unique UIDs avert this risk.

Example YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: prevent-uid-overlap-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: prevent-uid-overlap
  template:
    metadata:
      labels:
        app: prevent-uid-overlap
    spec:
      securityContext:
        runAsNonRoot: true
      containers:
        - name: secure-container
          image: secureapp:latest
          securityContext:
            runAsUser: 40001  # UID that does not overlap with host UIDs
            runAsGroup: 40001
            allowPrivilegeEscalation: false

Reduced Attack Surface:

Assigning UIDs from the upper third of the UID range minimizes the risk of collision with common system processes or users. This practice ensures that the attacker cannot predict or exploit the environment easily.

Example YAML:

apiVersion: v1
kind: Pod
metadata:
  name: high-range-uid-pod
spec:
  containers:
    - name: app-with-high-uid
      image: highsecurityapp:latest
      securityContext:
        runAsUser: 60001  # UID in the upper third of the range
        runAsGroup: 60001
        allowPrivilegeEscalation: false

By carefully selecting self-specified UIDs that do not overlap with host UIDs, you enhance the isolation between the container and the host environment, significantly reducing the risk of privilege escalation and unauthorized access.

Example YAML:

apiVersion: v1
kind: Pod
metadata:
  name: isolated-container-pod
spec:
  containers:
    - name: isolated-container
      image: mysecureapp:latest
      securityContext:
        runAsUser: 50001  # Carefully selected UID avoiding overlap
        runAsGroup: 50001
        fsGroup: 50001
        allowPrivilegeEscalation: false

Included in the following risks