6 changed files with 147 additions and 0 deletions
Split View
Diff Options
-
+27 -004-CONTEXTS.md
-
+27 -005-PSP.md
-
+0 -0BEST.md
-
+28 -0resources/attacker.yaml
-
+17 -0resources/psp-example.yml
-
+48 -0resources/psp.yml
+ 27
- 0
04-CONTEXTS.md
View File
| @ -0,0 +1,27 @@ | |||
| # security contexts | |||
| ## References: | |||
| - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | |||
| - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |||
| ## What to do | |||
| 1. Create the `attacker.yaml` deployment | |||
| 2. Go through the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ task | |||
| Skip the bitmasks, but try different flags in the security context and update the deployment to see | |||
| what happens with various options. | |||
| Try atleast the following: | |||
| ``` | |||
| allowPrivilegeEscalation: true | |||
| privileged: true | |||
| # cd to /dev/ and see after this | |||
| readOnlyRootFilesystem: true | |||
| # try writing to / after this | |||
| runAsGroup | |||
| runAsNonRoot | |||
| runAsUser | |||
| ``` | |||
+ 27
- 0
05-PSP.md
View File
| @ -0,0 +1,27 @@ | |||
| # Pod Security Policy | |||
| ## References | |||
| - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy | |||
| - https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/ | |||
| ```bash | |||
| # start minikube with PodSecurityPolicy enabled | |||
| minikube start --extra-config=apiserver.GenericServerRunOptions.AdmissionControl=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy | |||
| ``` | |||
| Go through the example reference at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example: | |||
| ```bash | |||
| # Set up a namespace and a service account to act as for this example. We’ll use this service account to mock a non-admin user. | |||
| kubectl create namespace psp-example | |||
| kubectl create serviceaccount -n psp-example fake-user | |||
| kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user | |||
| # To make it clear which user we’re acting as and save some typing, create 2 aliases: | |||
| alias kubectl-admin='kubectl -n psp-example' | |||
| alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example' | |||
| # Create a policy and a pod (see link for file) | |||
| kubectl-admin create -f example-psp.yaml | |||
| ``` | |||
04-ADMISSION.md → BEST.md
View File
+ 28
- 0
resources/attacker.yaml
View File
| @ -0,0 +1,28 @@ | |||
| apiVersion: extensions/v1beta1 | |||
| kind: Deployment | |||
| metadata: | |||
| labels: | |||
| name: attacker-abc | |||
| name: attacker-abc | |||
| namespace: attacker | |||
| spec: | |||
| progressDeadlineSeconds: 600 | |||
| replicas: 1 | |||
| strategy: | |||
| rollingUpdate: | |||
| maxSurge: 1 | |||
| maxUnavailable: 0 | |||
| type: RollingUpdate | |||
| template: | |||
| metadata: | |||
| labels: | |||
| name: attacker-abc | |||
| spec: | |||
| containers: | |||
| - image: alpine:3.6 | |||
| name: attacker-abc | |||
| command: | |||
| - sleep | |||
| - "3600" | |||
| securityContext: | |||
| privileged: true | |||
+ 17
- 0
resources/psp-example.yml
View File
| @ -0,0 +1,17 @@ | |||
| apiVersion: policy/v1beta1 | |||
| kind: PodSecurityPolicy | |||
| metadata: | |||
| name: example | |||
| spec: | |||
| privileged: false # Don't allow privileged pods! | |||
| # The rest fills in some required fields. | |||
| seLinux: | |||
| rule: RunAsAny | |||
| supplementalGroups: | |||
| rule: RunAsAny | |||
| runAsUser: | |||
| rule: RunAsAny | |||
| fsGroup: | |||
| rule: RunAsAny | |||
| volumes: | |||
| - '*' | |||
+ 48
- 0
resources/psp.yml
View File
| @ -0,0 +1,48 @@ | |||
| apiVersion: policy/v1beta1 | |||
| kind: PodSecurityPolicy | |||
| metadata: | |||
| name: restricted | |||
| annotations: | |||
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' | |||
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | |||
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' | |||
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | |||
| spec: | |||
| privileged: false | |||
| # Required to prevent escalations to root. | |||
| allowPrivilegeEscalation: false | |||
| # This is redundant with non-root + disallow privilege escalation, | |||
| # but we can provide it for defense in depth. | |||
| requiredDropCapabilities: | |||
| - ALL | |||
| # Allow core volume types. | |||
| volumes: | |||
| - 'configMap' | |||
| - 'emptyDir' | |||
| - 'projected' | |||
| - 'secret' | |||
| - 'downwardAPI' | |||
| # Assume that persistentVolumes set up by the cluster admin are safe to use. | |||
| - 'persistentVolumeClaim' | |||
| hostNetwork: false | |||
| hostIPC: false | |||
| hostPID: false | |||
| runAsUser: | |||
| # Require the container to run without root privileges. | |||
| rule: 'MustRunAsNonRoot' | |||
| seLinux: | |||
| # This policy assumes the nodes are using AppArmor rather than SELinux. | |||
| rule: 'RunAsAny' | |||
| supplementalGroups: | |||
| rule: 'MustRunAs' | |||
| ranges: | |||
| # Forbid adding the root group. | |||
| - min: 1 | |||
| max: 65535 | |||
| fsGroup: | |||
| rule: 'MustRunAs' | |||
| ranges: | |||
| # Forbid adding the root group. | |||
| - min: 1 | |||
| max: 65535 | |||
| readOnlyRootFilesystem: false | |||