⦿ Set the security context for a Pod

[Create the Pod]
$ kubectl apply -f Pod_1.yaml
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context.yaml

[Verify that the Pod's Container is running]
$ kubectl get pod security-context-demo

[Get a shell to the running Container]
$ kubectl exec -it security-context-demo -- sh
  .........:/# curl http://localhost
  .........:/# ps                                                           (the processes are running as user 1000, which is the value of runAsUser)
  PID   USER    TIME   COMMAND
   1    1000    0:00   sleep 1h
   6    1000    0:00   sh
  .........:/# cd /data                                                     (navigate to /data, and list the one directory)
  .........:/# ls -l
  drwxrwsrwx 2 root 2000 4096 Jun  6 20:08 demo                             (the /data/demo directory has group ID 2000, which is the value of fsGroup)
  .........:/# cd demo                                                      (navigate to /data/demo, and create a file) 
  .........:/# echo hello > testfile
  .........:/# ls -l                                                        (list the file in the /data/demo directory)
  -rw-r--r-- 1 1000 2000 6 Jun  6 20:08 testfile                            (that testfile has group ID 2000, which is the value of fsGroup)  
  .........:/# id
  uid=1000 gid=3000 groups=2000,3000,4000
  .........:/# exit


⦿ Implicit group memberships defined in /etc/group in the container image

[Create the Pod]
$ kubectl apply -f Pod_2.yaml
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context-5.yaml

[Verify that the Pod's Container is running]
$ kubectl get pod security-context-demo

[Get a shell to the running Container]
$ kubectl exec -it security-context-demo -- sh
  .........:/# id
  uid=1000 gid=3000 groups=3000,4000,50000
  .........:/# cat /etc/group  
  ...
  user-defined-in-image:x:1000:
  group-defined-in-image:x:50000:user-defined-in-image
  .........:/# exit


⦿ Configure fine-grained SupplementalGroups control for a Pod

[Create the Pod]
$ kubectl apply -f Pod_3.yaml
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context-6.yaml

[Verify that the Pod's Container is running]
$ kubectl get pod security-context-demo

[Check the process identity]
$ kubectl exec -it security-context-demo -- id
uid=1000 gid=3000 groups=3000,4000

[See the Pod's status]
$ kubectl get pod security-context-demo -o yaml
...
status:
  containerStatuses:
  - name: sec-ctx-demo
    user:
      linux:
        gid: 3000
        supplementalGroups:
        - 3000
        - 4000
        uid: 1000
...


⦿ Set the security context for a Container

[Create the Pod]
$ kubectl apply -f Pod_4.yaml
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context-2.yaml

[Verify that the Pod's Container is running]
$ kubectl get pod security-context-demo-2

[Get a shell into the running Container]
$ kubectl exec -it security-context-demo-2 -- sh
  .........:/# ps aux
  USER   PID  %CPU  %MEM      VSZ     RSS  TTY   STAT START   TIME   COMMAND
  2000     1  0.0   0.0      4336     764  ?     Ss   20:36   0:00   /bin/sh -c node server.js
  2000     8  0.1   0.5    772124   22604  ?     Sl   20:36   0:00   node server.js
  ...
  .........:/# exit


⦿ Set capabilities for a Container

[Create the Pod]
$ kubectl apply -f Pod_5.yaml
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context-3.yaml

[Verify that the Pod's Container is running]
$ kubectl get pod security-context-demo-3

[Get a shell into the running Container]
$ kubectl exec -it security-context-demo-3 -- sh
  .........:/# ps aux
  USER  PID %CPU %MEM    VSZ   RSS TTY   STAT START   TIME COMMAND
  root    1  0.0  0.0   4336   796 ?     Ss   18:17   0:00 /bin/sh -c node server.js
  root    5  0.1  0.5 772124 22700 ?     Sl   18:17   0:00 node server.js
  .........:/# cd /proc/1
  .........:/# cat status  
  ...
  CapPrm:	00000000a80425fb
  CapEff:	00000000a80425fb
  ...
  .........:/# exit

[Create the Pod]
$ kubectl apply -f Pod_6.yaml
$ kubectl apply -f https://k8s.io/examples/pods/security/security-context-4.yaml

[Get a shell into the running Container]
$ kubectl exec -it security-context-demo-4 -- sh
  .........:/# cd /proc/1
  .........:/# cat status
  ...
  CapPrm:	00000000aa0435fb
  CapEff:	00000000aa0435fb
  ...  
  .........:/# exit

[Delete the Pod]
$ kubectl delete pod security-context-demo
$ kubectl delete pod security-context-demo-2
$ kubectl delete pod security-context-demo-3
$ kubectl delete pod security-context-demo-4
  