This is a quick guide on how to get a standard .NET container running as a non-root, non privileged user in Kubernetes. It is not a complete security guide but rather just enough if you require your pods to not run under root.
The first step is to update the Dockerfile. Two changes are required here; one to change the port and one to specify the user to use.
At the start of the Dockerfile, replace any EXPORT
statements with the following:
ENV ASPNETCORE_URLS http://+:8000
EXPOSE 8000
This will expose your application to the cluster on port 8000 rather than port 80.
Next, just before the ENTRYPOINT
instruction, add the following line:
USER 1000
Now build and push the container to your container registry of choice either manually or via a CI/CD pipeline.
Add the following snippet to the deployment manifest under the container entry that is to be locked down:
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
As the exported container port has now changed, update any service you may have defined so it looks similar to the following service manifest:
apiVersion: v1
kind: Service
metadata:
name: your-service
namespace: service-namespace
spec:
selector:
app: your-app
ports:
- name: http
port: 80
targetPort: 8000
type: ClusterIP
The pod will still be accessible via its service on port 80 so things like ingress or gateway definitions or references from other apps do not need to be updated.
Company Reviews