You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Overview

We want to configure strict enforcement of rules to limit unauthorized manipulation of our kubernetes cluster.

Testing Out Violations Base on Pod Security Policy

Privileged

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=privileged
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
namespace/kube-system labeled


Baseline

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "baseline:latest"
Warning: fluent-bit-q9d8n: hostPath volumes
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest"
Warning: etcd-docker-desktop (and 3 other pods): host namespaces, hostPath volumes
Warning: kube-proxy-zggs2: host namespaces, hostPath volumes, privileged
Warning: storage-provisioner (and 1 other pod): hostPath volumes
namespace/kube-system labeled


Restricted

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "restricted:latest"
Warning: ckaf-kafka-0 (and 5 other pods): unrestricted capabilities, seccompProfile
Warning: credential-management-5665fb95d4-ncssg (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: fluent-bit-q9d8n: allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
Warning: kowl-767d84f95f-qm5pj: allowPrivilegeEscalation != false, unrestricted capabilities, seccompProfile
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "restricted:latest"
Warning: coredns-95db45d46-skl6z (and 1 other pod): unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: etcd-docker-desktop (and 3 other pods): host namespaces, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true
Warning: kube-proxy-zggs2: host namespaces, privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
Warning: storage-provisioner (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
namespace/kube-system labeled


From the previous output, you'll notice that applying the privileged Pod Security Standard shows no warnings for any namespaces. However, baseline and restricted standards both have warnings, specifically in the kube-systemnamespace.


Adding Security



References

ReferenceURL
Apply Pod Security Standards at the Cluster Levelhttps://kubernetes.io/docs/tutorials/security/cluster-level-pss/


  • No labels

Copyright JMEHAN.COM