.

3 years ago · 0fd8b51be9
6 changed files with 147 additions and 0 deletions
--- a/04-CONTEXTS.md
+++ b/04-CONTEXTS.md
@ -0,0 +1,27 @@
+# security contexts
+
+## References:
+
+- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+- https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+
+## What to do
+
+1. Create the `attacker.yaml` deployment
+2. Go through the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ task
+
+Skip the bitmasks, but try different flags in the security context and update the deployment to see
+what happens with various options.
+
+Try atleast the following:
+
+```
+allowPrivilegeEscalation: true
+privileged: true
+# cd to /dev/ and see after this
+readOnlyRootFilesystem: true
+# try writing to / after this
+runAsGroup
+runAsNonRoot
+runAsUser
+```
--- a/05-PSP.md
+++ b/05-PSP.md
@ -0,0 +1,27 @@
+# Pod Security Policy
+
+## References
+
+- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
+- https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/
+
+```bash
+# start minikube with PodSecurityPolicy enabled
+minikube start --extra-config=apiserver.GenericServerRunOptions.AdmissionControl=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy
+```
+
+Go through the example reference at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example:
+
+```bash
+# Set up a namespace and a service account to act as for this example. We’ll use this service account to mock a non-admin user.
+kubectl create namespace psp-example
+kubectl create serviceaccount -n psp-example fake-user
+kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
+
+# To make it clear which user we’re acting as and save some typing, create 2 aliases:
+alias kubectl-admin='kubectl -n psp-example'
+alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
+
+# Create a policy and a pod (see link for file)
+kubectl-admin create -f example-psp.yaml
+```
--- a/04-ADMISSION.md
+++ b/04-ADMISSION.md
--- a/resources/attacker.yaml
+++ b/resources/attacker.yaml
@ -0,0 +1,28 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    name: attacker-abc
+  name: attacker-abc
+  namespace: attacker
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        name: attacker-abc
+    spec:
+      containers:
+      - image: alpine:3.6
+        name: attacker-abc
+        command:
+        - sleep
+        - "3600"
+        securityContext:
+          privileged: true
--- a/resources/psp-example.yml
+++ b/resources/psp-example.yml
@ -0,0 +1,17 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: example
+spec:
+  privileged: false  # Don't allow privileged pods!
+  # The rest fills in some required fields.
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
--- a/resources/psp.yml
+++ b/resources/psp.yml
@ -0,0 +1,48 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: restricted
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    # Assume that persistentVolumes set up by the cluster admin are safe to use.
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false