Kubernetes CKA sample exam question 112 with answer

Question Create a deployment called secure-app in secure namespace. Make sure all containers run with user id 10000 without configuring this setting at container level. Also, containers should NOT be allowed privileged escalation.
Use busybox image for this deployment.

Answer
This task required runAsUser defined at Pod level so that all containers inherit that setting by default.
If you set runAsUser at both Pod and Container level then the value defined at container level will take precedence.
Other security option called allowPrivilegedEscalation needs to be set to false and it can ONLY be defined at container level.
Create deoloyment manifest:

kubectl create deployment secure-app --image=busybox --command sleep 1200 -n secure --dry-run=client -o yaml

Adjust it and add securityContext related configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: secure-app
  name: secure-app
  namespace: secure
spec:
  replicas: 1
  selector:
    matchLabels:
      app: secure-app
  template:
    metadata:
      labels:
        app: secure-app
    spec:
      securityContext:
        runAsUser: 10000
      containers:
      - command:
        - /bin/sh
        - -c
        - "sleep 1200"
        image: busybox
        name: busybox
        securityContext:
          allowPrivilegeEscalation: false

Test out the container user id using following command:

kubectl -n secure exec -it secure-app-747c8567ff-k58k7 -- whoami