Skip to content

Latest commit

 

History

History
145 lines (108 loc) · 3.4 KB

pod_security_context.md

File metadata and controls

145 lines (108 loc) · 3.4 KB
Raw

Pod Security Context

A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to:

  • Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).
  • Security Enhanced Linux (SELinux): Objects are assigned security labels.
  • Running as privileged or unprivileged.
  • Linux Capabilities: Give a process some privileges, but not all the privileges of the root user.
  • AppArmor: Use program profiles to restrict the capabilities of individual programs
  • Seccomp: Filter a process's system calls.
  • [AllowPrivilegeEscalation]: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the no_new_privs flag gets set on the container process.
  • readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.

Discretionary Access Control


Run as busybox-user pod immutable using the following settings

  • user: 1000
  • group: 3000
show

cat << EOF > busybox-user.yaml
apiVersion: v1
kind: Pod
metadata:
  name: busybox-user
spec:
  securityContext: # add this 
    runAsUser: 1000 # add user 
    runAsGroup: 3000 # add group
  containers:
  - image: busybox
    name: busybox-user
    command: ["sh", "-c", "sleep 600"]
EOF

kubectl apply -f busybox-user.yaml
# verify - will have a proper user if the user exists
kk exec busybox-user -- whoami
# whoami: unknown uid 1000 
# command terminated with exit code 1


SELinux


Create a nginx pod with SYS_TIME & NET_ADMIN capabilities.

show

cat << EOF > nginx.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      capabilities:
        add: ["SYS_TIME", "NET_ADMIN"]
EOF

kubectl apply -f nginx.yaml


App Armor


Refer AppArmor


Seccomp

Refer Seccomp - Secure Computing


Immutability

  • Image Immutability: Containerized applications are meant to be immutable, and once built are not expected to change between different environments.

Make the busybox-immutable pod immutable using the following settings

  • readOnlyRootFilesystem: true
  • privileged: false
  • command : [ "sh", "-c", "sleep 600" ]
show

cat << EOF > busybox-immutable.yaml
apiVersion: v1
kind: Pod
metadata:
  name: busybox-immutable
spec:
  containers:
  - image: busybox
    name: busybox-immutable
    command: ["sh", "-c", "sleep 600"]
    securityContext: # add this 
      readOnlyRootFilesystem: true # add this to make container immutable
      privileged: false # add this to prevent container making any node changes
EOF

kubectl apply -f busybox-immutable.yaml
# verify
kubectl exec busybox-immutable -- touch echo.txt
# touch: echo.txt: Read-only file system
# command terminated with exit code 1

Clean up

rm busybox-immutable.yaml
kubectl delete pod busybox-immutable --force --grace-period=0