podspawnpodspawn

Security Configuration

Container hardening options in SecurityConfig, including capability management, PID limits, read-only root, tmpfs mounts, and gVisor runtime.

The security section of /etc/podspawn/config.yaml controls how user containers are hardened. The defaults follow a "drop everything, re-add the minimum" philosophy.

Default security config

security:
  cap_drop:
    - ALL
  cap_add:
    - CHOWN
    - SETUID
    - SETGID
    - DAC_OVERRIDE
    - FOWNER
    - NET_BIND_SERVICE
  no_new_privileges: true
  pids_limit: 256
  readonly_rootfs: false
  tmpfs: {}
  runtime: ""

Fields

Example: locked-down server

A production-grade configuration that maximizes isolation:

security:
  cap_drop:
    - ALL
  cap_add:
    - CHOWN
    - SETUID
    - SETGID
    - DAC_OVERRIDE
    - FOWNER
  no_new_privileges: true
  pids_limit: 128
  readonly_rootfs: true
  tmpfs:
    /tmp: "size=256m"
    /run: "size=64m"
  runtime: runsc

How is this guide?

Client Configuration

Reference for ~/.podspawn/config.yaml, covering local defaults and server routing with .pod hostnames.

User Overrides

Per-user configuration via /etc/podspawn/users/<username>.yaml for customizing images, resources, shell, environment, and dotfiles.

On this page

Default security configFieldsExample: locked-down server