Overview
We want to configure strict enforcement of rules to limit unauthorized manipulation of our kubernetes cluster.
Testing Out Violations Base on Pod Security Policy
Privileged
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=privileged
namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled namespace/kube-system labeled
Baseline
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "baseline:latest" Warning: fluent-bit-q9d8n: hostPath volumes namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest" Warning: etcd-docker-desktop (and 3 other pods): host namespaces, hostPath volumes Warning: kube-proxy-zggs2: host namespaces, hostPath volumes, privileged Warning: storage-provisioner (and 1 other pod): hostPath volumes namespace/kube-system labeled
Restricted
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "restricted:latest" Warning: ckaf-kafka-0 (and 5 other pods): unrestricted capabilities, seccompProfile Warning: credential-management-5665fb95d4-ncssg (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile Warning: fluent-bit-q9d8n: allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile Warning: kowl-767d84f95f-qm5pj: allowPrivilegeEscalation != false, unrestricted capabilities, seccompProfile namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "restricted:latest" Warning: coredns-95db45d46-skl6z (and 1 other pod): unrestricted capabilities, runAsNonRoot != true, seccompProfile Warning: etcd-docker-desktop (and 3 other pods): host namespaces, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true Warning: kube-proxy-zggs2: host namespaces, privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile Warning: storage-provisioner (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile namespace/kube-system labeled
From the previous output, you'll notice that applying the privileged Pod Security Standard shows no warnings for any namespaces. However, baseline and restricted standards both have warnings, specifically in the kube-systemnamespace.
Adding Security
References
Reference | URL |
---|---|
Apply Pod Security Standards at the Cluster Level | https://kubernetes.io/docs/tutorials/security/cluster-level-pss/ |