I am learning more about Kubernetes Pod Security Policies, and while going through the list of fields, I could not find the default value for the Privileged flag. Is this value dependent on the container runtime used? For example, Docker containers have this value set to false by default, so if I had a Kubernetes cluster with only Docker containers, would all the pods be unprivileged?
There is a privileged flag on the SecurityContext of the container spec. The default is false.
Foreexample by below template you can set it to true.
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world-container
# The container definition
# ...
securityContext:
privileged: true
In a fresh cluster the default PSP is very permissive which means that you pretty much anything is allowed. So the default would be to allow privileged containers if the privileged flag was toggled on the pod, same with root users, etc.
You will have to explicitly turn set the flag to true in the PSP if you want to enforce it. I believe this is true regardless of the Container runtime being used, works with Windows containers too :)