inits sec ctx

Author: mhausenblas

docs/policies.md

@@ -1,8 +1,25 @@
-# Configuring pods to run securely
+# Policies 
+
+One important tool in the defense in depth strategy are policies. These define
+what is or is not allowed and part of it is usually an enforcement component.
+
+In the context of policies, the concept of least privileges is an important one.
+So let's have a look at this.
 
 ## Least privileges
 
-http://canihaznonprivilegedcontainers.info/
+First off we start with the simple case of a Kubernetes security context, 
+allowing you to specify runtime policies around privileges and access control.
+
+We will be using an [example from the Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+so that you can read up on the details later on. 
+
+```
+kubectl apply -f
+https://raw.githubusercontent.com/k8s-sec/cloud-native-security-tutorial/master/res/pod-security-context.yaml
+```
+
+See more at http://canihaznonprivilegedcontainers.info/
 
 ## Network policies
 

res/pod-security-context.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: security-context
+spec:
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+  volumes:
+  - name: datavol
+    emptyDir: {}
+  containers:
+  - name: main
+    image: amazonlinux:2
+    command: [ "sh", "-c", "sleep 3600" ]
+    volumeMounts:
+    - name: datavol
+      mountPath: /data
+    securityContext:
+      allowPrivilegeEscalation: false