From 0fd8b51be9466cb669dd77727d569d37305976a0 Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 21 Apr 2018 12:23:00 +0530 Subject: [PATCH] . --- 04-CONTEXTS.md | 27 +++++++++++++++++++++ 05-PSP.md | 27 +++++++++++++++++++++ 04-ADMISSION.md => BEST.md | 0 resources/attacker.yaml | 28 ++++++++++++++++++++++ resources/psp-example.yml | 17 ++++++++++++++ resources/psp.yml | 48 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 147 insertions(+) create mode 100644 04-CONTEXTS.md create mode 100644 05-PSP.md rename 04-ADMISSION.md => BEST.md (100%) create mode 100644 resources/attacker.yaml create mode 100644 resources/psp-example.yml create mode 100644 resources/psp.yml diff --git a/04-CONTEXTS.md b/04-CONTEXTS.md new file mode 100644 index 0000000..645ec20 --- /dev/null +++ b/04-CONTEXTS.md @@ -0,0 +1,27 @@ +# security contexts + +## References: + +- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +- https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + +## What to do + +1. Create the `attacker.yaml` deployment +2. Go through the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ task + +Skip the bitmasks, but try different flags in the security context and update the deployment to see +what happens with various options. + +Try atleast the following: + +``` +allowPrivilegeEscalation: true +privileged: true +# cd to /dev/ and see after this +readOnlyRootFilesystem: true +# try writing to / after this +runAsGroup +runAsNonRoot +runAsUser +``` \ No newline at end of file diff --git a/05-PSP.md b/05-PSP.md new file mode 100644 index 0000000..28fee74 --- /dev/null +++ b/05-PSP.md @@ -0,0 +1,27 @@ +# Pod Security Policy + +## References + +- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy +- https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/ + +```bash +# start minikube with PodSecurityPolicy enabled +minikube start --extra-config=apiserver.GenericServerRunOptions.AdmissionControl=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy +``` + +Go through the example reference at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example: + +```bash +# Set up a namespace and a service account to act as for this example. We’ll use this service account to mock a non-admin user. +kubectl create namespace psp-example +kubectl create serviceaccount -n psp-example fake-user +kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user + +# To make it clear which user we’re acting as and save some typing, create 2 aliases: +alias kubectl-admin='kubectl -n psp-example' +alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example' + +# Create a policy and a pod (see link for file) +kubectl-admin create -f example-psp.yaml +``` \ No newline at end of file diff --git a/04-ADMISSION.md b/BEST.md similarity index 100% rename from 04-ADMISSION.md rename to BEST.md diff --git a/resources/attacker.yaml b/resources/attacker.yaml new file mode 100644 index 0000000..94a4dd0 --- /dev/null +++ b/resources/attacker.yaml @@ -0,0 +1,28 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + name: attacker-abc + name: attacker-abc + namespace: attacker +spec: + progressDeadlineSeconds: 600 + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + labels: + name: attacker-abc + spec: + containers: + - image: alpine:3.6 + name: attacker-abc + command: + - sleep + - "3600" + securityContext: + privileged: true \ No newline at end of file diff --git a/resources/psp-example.yml b/resources/psp-example.yml new file mode 100644 index 0000000..475b1f5 --- /dev/null +++ b/resources/psp-example.yml @@ -0,0 +1,17 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + privileged: false # Don't allow privileged pods! + # The rest fills in some required fields. + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' \ No newline at end of file diff --git a/resources/psp.yml b/resources/psp.yml new file mode 100644 index 0000000..5221ec7 --- /dev/null +++ b/resources/psp.yml @@ -0,0 +1,48 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false \ No newline at end of file