This commit is contained in:
parent
99c1adface
commit
0fd8b51be9
|
@ -0,0 +1,27 @@
|
||||||
|
# security contexts
|
||||||
|
|
||||||
|
## References:
|
||||||
|
|
||||||
|
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||||
|
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||||
|
|
||||||
|
## What to do
|
||||||
|
|
||||||
|
1. Create the `attacker.yaml` deployment
|
||||||
|
2. Go through the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ task
|
||||||
|
|
||||||
|
Skip the bitmasks, but try different flags in the security context and update the deployment to see
|
||||||
|
what happens with various options.
|
||||||
|
|
||||||
|
Try atleast the following:
|
||||||
|
|
||||||
|
```
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
privileged: true
|
||||||
|
# cd to /dev/ and see after this
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
# try writing to / after this
|
||||||
|
runAsGroup
|
||||||
|
runAsNonRoot
|
||||||
|
runAsUser
|
||||||
|
```
|
|
@ -0,0 +1,27 @@
|
||||||
|
# Pod Security Policy
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
|
||||||
|
- https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-cluster-psp/
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# start minikube with PodSecurityPolicy enabled
|
||||||
|
minikube start --extra-config=apiserver.GenericServerRunOptions.AdmissionControl=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,PodSecurityPolicy
|
||||||
|
```
|
||||||
|
|
||||||
|
Go through the example reference at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Set up a namespace and a service account to act as for this example. We’ll use this service account to mock a non-admin user.
|
||||||
|
kubectl create namespace psp-example
|
||||||
|
kubectl create serviceaccount -n psp-example fake-user
|
||||||
|
kubectl create rolebinding -n psp-example fake-editor --clusterrole=edit --serviceaccount=psp-example:fake-user
|
||||||
|
|
||||||
|
# To make it clear which user we’re acting as and save some typing, create 2 aliases:
|
||||||
|
alias kubectl-admin='kubectl -n psp-example'
|
||||||
|
alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example'
|
||||||
|
|
||||||
|
# Create a policy and a pod (see link for file)
|
||||||
|
kubectl-admin create -f example-psp.yaml
|
||||||
|
```
|
|
@ -0,0 +1,28 @@
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
name: attacker-abc
|
||||||
|
name: attacker-abc
|
||||||
|
namespace: attacker
|
||||||
|
spec:
|
||||||
|
progressDeadlineSeconds: 600
|
||||||
|
replicas: 1
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: 1
|
||||||
|
maxUnavailable: 0
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
name: attacker-abc
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: alpine:3.6
|
||||||
|
name: attacker-abc
|
||||||
|
command:
|
||||||
|
- sleep
|
||||||
|
- "3600"
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
|
@ -0,0 +1,17 @@
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: example
|
||||||
|
spec:
|
||||||
|
privileged: false # Don't allow privileged pods!
|
||||||
|
# The rest fills in some required fields.
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- '*'
|
|
@ -0,0 +1,48 @@
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: restricted
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
||||||
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
# Required to prevent escalations to root.
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
# This is redundant with non-root + disallow privilege escalation,
|
||||||
|
# but we can provide it for defense in depth.
|
||||||
|
requiredDropCapabilities:
|
||||||
|
- ALL
|
||||||
|
# Allow core volume types.
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
# Assume that persistentVolumes set up by the cluster admin are safe to use.
|
||||||
|
- 'persistentVolumeClaim'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
# Require the container to run without root privileges.
|
||||||
|
rule: 'MustRunAsNonRoot'
|
||||||
|
seLinux:
|
||||||
|
# This policy assumes the nodes are using AppArmor rather than SELinux.
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
# Forbid adding the root group.
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
# Forbid adding the root group.
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
readOnlyRootFilesystem: false
|
Loading…
Reference in New Issue