Container Security Context¶
Introduction¶
This guide explains container security context with practical kubectl commands, realistic output, and production-focused checks. Workloads are where application behavior, scheduling, images, probes, and resource limits meet.
When You Need This¶
Use this guide when creating, updating, scaling, or debugging application workloads such as Pods, Deployments, Jobs, CronJobs, DaemonSets, and StatefulSets.
Example Manifest¶
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
namespace: app
spec:
replicas: 3
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web
image: nginx:1.27
ports:
- containerPort: 80
Apply and Inspect¶
kubectl apply -f manifest.yaml
kubectl get pods -n app -o wide
kubectl describe pod -n app -l app=web
Expected output:
yes
role.rbac.authorization.k8s.io/pod-reader created
Operational Checks¶
kubectl auth can-i get pods --as system:serviceaccount:app:backend -n app
kubectl get role,rolebinding -n app
kubectl describe serviceaccount backend -n app
kubectl get resourcequota,limitrange -n app
kubectl get events -n app --sort-by=.lastTimestamp
Troubleshooting¶
Check image pull status, container logs, previous logs, probes, resource requests, volume mounts, node placement, and rollout history.
Common Mistakes¶
- Using a Pod directly when a Deployment or Job should own it.
- Setting probes before the application has a reliable health endpoint.
- Forgetting resource requests and then blaming the scheduler for Pending pods.
Quick Checklist¶
- Confirm the controller type.
- Check labels and selectors.
- Review probes and resource requests.
- Inspect events and previous logs.
- Watch the rollout after changes.
Related Guides¶
Summary¶
Workload troubleshooting starts with ownership and events. Confirm what controls the pod, then inspect logs, probes, resources, and rollout state.