Nemo 2 years ago
parent
commit
0fd8b51be9
6 changed files with 147 additions and 0 deletions
  1. +27
    -0
      04-CONTEXTS.md
  2. +27
    -0
      05-PSP.md
  3. +0
    -0
      BEST.md
  4. +28
    -0
      resources/attacker.yaml
  5. +17
    -0
      resources/psp-example.yml
  6. +48
    -0
      resources/psp.yml

+ 27
- 0
04-CONTEXTS.md View File

@ -0,0 +1,27 @@
# security contexts
## References:
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/
## What to do
1. Create the `attacker.yaml` deployment
2. Go through the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ task
Skip the bitmasks, but try different flags in the security context and update the deployment to see
what happens with various options.
Try atleast the following:
```
allowPrivilegeEscalation: true
privileged: true
# cd to /dev/ and see after this
readOnlyRootFilesystem: true
# try writing to / after this
runAsGroup
runAsNonRoot
runAsUser
```

+ 27
- 0
05-PSP.md View File

@ -0,0 +1,27 @@
# Pod Security Policy
## References
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
- https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/
```bash
# start minikube with PodSecurityPolicy enabled
minikube start --extra-config=apiserver.GenericServerRunOptions.AdmissionControl=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy
```
Go through the example reference at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example:
```bash
# Set up a namespace and a service account to act as for this example. We’ll use this service account to mock a non-admin user.
kubectl create namespace psp-example
kubectl create serviceaccount -n psp-example fake-user
kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
# To make it clear which user we’re acting as and save some typing, create 2 aliases:
alias kubectl-admin='kubectl -n psp-example'
alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
# Create a policy and a pod (see link for file)
kubectl-admin create -f example-psp.yaml
```

04-ADMISSION.md → BEST.md View File


+ 28
- 0
resources/attacker.yaml View File

@ -0,0 +1,28 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
name: attacker-abc
name: attacker-abc
namespace: attacker
spec:
progressDeadlineSeconds: 600
replicas: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
name: attacker-abc
spec:
containers:
- image: alpine:3.6
name: attacker-abc
command:
- sleep
- "3600"
securityContext:
privileged: true

+ 17
- 0
resources/psp-example.yml View File

@ -0,0 +1,17 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'

+ 48
- 0
resources/psp.yml View File

@ -0,0 +1,48 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false

Loading…
Cancel
Save