Container Security
All containers on Kupe Cloud must meet minimum security requirements. These are enforced by cluster policies at deploy time.
Required security settings
Section titled “Required security settings”Every container must include these security context settings:
spec: securityContext: runAsNonRoot: true containers: - name: my-app securityContext: runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256MiWhat each setting does
Section titled “What each setting does”| Setting | Required | Purpose |
|---|---|---|
runAsNonRoot: true | Yes | Prevents running as UID 0 (root) |
allowPrivilegeEscalation: false | Yes | Blocks setuid binaries from gaining privileges |
capabilities.drop: ["ALL"] | Yes | Removes all Linux capabilities |
readOnlyRootFilesystem: true | Recommended | Prevents writing to the container filesystem |
seccompProfile.type: RuntimeDefault | Recommended | Restricts available syscalls |
Required settings are enforced — violations are blocked. Recommended settings are currently logged in audit mode.
Building non-root images
Section titled “Building non-root images”Most official images already support non-root. If you’re building your own:
FROM alpine:3.21
# Create non-root userRUN addgroup -g 65532 -S app && \ adduser -u 65532 -S app -G app
# Set ownershipCOPY --chown=app:app ./bin/myapp /app/myapp
# Switch to non-rootUSER 65532
ENTRYPOINT ["/app/myapp"]Using writable directories
Section titled “Using writable directories”With readOnlyRootFilesystem: true, use emptyDir volumes for directories
that need writes (temp files, caches, uploads):
containers: - name: app securityContext: readOnlyRootFilesystem: true volumeMounts: - name: tmp mountPath: /tmp - name: cache mountPath: /app/cachevolumes: - name: tmp emptyDir: {} - name: cache emptyDir: sizeLimit: 100MiAdding capabilities back
Section titled “Adding capabilities back”If your application needs a specific capability (e.g., binding to ports below 1024), you can add it back after dropping all:
securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"]NET_BIND_SERVICE is the most common exception. If your workload needs a
different capability, follow the exemption path in
Cluster Policies and
only add the specific capability you actually need.
Common issues
Section titled “Common issues””exec format error” after switching to non-root
Section titled “”exec format error” after switching to non-root”Your image may use a shell script entrypoint without a shebang line. Add #!/bin/sh
as the first line, or use the binary directly as the entrypoint.
Application writes to root filesystem
Section titled “Application writes to root filesystem”Move writes to an emptyDir volume. Common paths that need this:
/tmp— temp files/var/cache— application caches/var/log— log files (prefer stdout instead)/app/data— application data (use a PVC for persistence)
Related pages
Section titled “Related pages”- Cluster Policies — full policy reference
- Network Isolation — egress restrictions