## page was renamed from k8s/StudyNotes/Security
= k8s/StudyNotes/ Security Docker =

 * Docker uses Namespace on linux does isolation, process still visible on host.
   * /usr/include/linux/capability.h
     * can limit capability's.

 * On Docker can add capabilities {{{
docker run --cap-add MAC_ADMIN or --cap-drop or --privileged
}}}

 * In k8s, can set security on Pod or Container level. 
   * Set under '''spec:''' for POD level, or move under '''containers:''' {{{
securityContext:
  runAsUser: 1000
  capabilities:
    add: ["MAC_ADMIN"]
}}}