@ -0,0 +1,27 @@ | |||
# security contexts | |||
## References: | |||
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | |||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |||
## What to do | |||
1. Create the `attacker.yaml` deployment | |||
2. Go through the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ task | |||
Skip the bitmasks, but try different flags in the security context and update the deployment to see | |||
what happens with various options. | |||
Try atleast the following: | |||
``` | |||
allowPrivilegeEscalation: true | |||
privileged: true | |||
# cd to /dev/ and see after this | |||
readOnlyRootFilesystem: true | |||
# try writing to / after this | |||
runAsGroup | |||
runAsNonRoot | |||
runAsUser | |||
``` |
@ -0,0 +1,27 @@ | |||
# Pod Security Policy | |||
## References | |||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy | |||
- https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/ | |||
```bash | |||
# start minikube with PodSecurityPolicy enabled | |||
minikube start --extra-config=apiserver.GenericServerRunOptions.AdmissionControl=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy | |||
``` | |||
Go through the example reference at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example: | |||
```bash | |||
# Set up a namespace and a service account to act as for this example. We’ll use this service account to mock a non-admin user. | |||
kubectl create namespace psp-example | |||
kubectl create serviceaccount -n psp-example fake-user | |||
kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user | |||
# To make it clear which user we’re acting as and save some typing, create 2 aliases: | |||
alias kubectl-admin='kubectl -n psp-example' | |||
alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example' | |||
# Create a policy and a pod (see link for file) | |||
kubectl-admin create -f example-psp.yaml | |||
``` |
@ -0,0 +1,28 @@ | |||
apiVersion: extensions/v1beta1 | |||
kind: Deployment | |||
metadata: | |||
labels: | |||
name: attacker-abc | |||
name: attacker-abc | |||
namespace: attacker | |||
spec: | |||
progressDeadlineSeconds: 600 | |||
replicas: 1 | |||
strategy: | |||
rollingUpdate: | |||
maxSurge: 1 | |||
maxUnavailable: 0 | |||
type: RollingUpdate | |||
template: | |||
metadata: | |||
labels: | |||
name: attacker-abc | |||
spec: | |||
containers: | |||
- image: alpine:3.6 | |||
name: attacker-abc | |||
command: | |||
- sleep | |||
- "3600" | |||
securityContext: | |||
privileged: true |
@ -0,0 +1,17 @@ | |||
apiVersion: policy/v1beta1 | |||
kind: PodSecurityPolicy | |||
metadata: | |||
name: example | |||
spec: | |||
privileged: false # Don't allow privileged pods! | |||
# The rest fills in some required fields. | |||
seLinux: | |||
rule: RunAsAny | |||
supplementalGroups: | |||
rule: RunAsAny | |||
runAsUser: | |||
rule: RunAsAny | |||
fsGroup: | |||
rule: RunAsAny | |||
volumes: | |||
- '*' |
@ -0,0 +1,48 @@ | |||
apiVersion: policy/v1beta1 | |||
kind: PodSecurityPolicy | |||
metadata: | |||
name: restricted | |||
annotations: | |||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |||
spec: | |||
privileged: false | |||
# Required to prevent escalations to root. | |||
allowPrivilegeEscalation: false | |||
# This is redundant with non-root + disallow privilege escalation, | |||
# but we can provide it for defense in depth. | |||
requiredDropCapabilities: | |||
- ALL | |||
# Allow core volume types. | |||
volumes: | |||
- 'configMap' | |||
- 'emptyDir' | |||
- 'projected' | |||
- 'secret' | |||
- 'downwardAPI' | |||
# Assume that persistentVolumes set up by the cluster admin are safe to use. | |||
- 'persistentVolumeClaim' | |||
hostNetwork: false | |||
hostIPC: false | |||
hostPID: false | |||
runAsUser: | |||
# Require the container to run without root privileges. | |||
rule: 'MustRunAsNonRoot' | |||
seLinux: | |||
# This policy assumes the nodes are using AppArmor rather than SELinux. | |||
rule: 'RunAsAny' | |||
supplementalGroups: | |||
rule: 'MustRunAs' | |||
ranges: | |||
# Forbid adding the root group. | |||
- min: 1 | |||
max: 65535 | |||
fsGroup: | |||
rule: 'MustRunAs' | |||
ranges: | |||
# Forbid adding the root group. | |||
- min: 1 | |||
max: 65535 | |||
readOnlyRootFilesystem: false |