Overview
We want to configure strict enforcement of rules to limit unauthorized manipulation of our kubernetes cluster.
Testing Out Violations Base on Pod Security Policy
Privileged
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=privileged
namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled namespace/kube-system labeled
Baseline
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "baseline:latest" Warning: fluent-bit-q9d8n: hostPath volumes namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest" Warning: etcd-docker-desktop (and 3 other pods): host namespaces, hostPath volumes Warning: kube-proxy-zggs2: host namespaces, hostPath volumes, privileged Warning: storage-provisioner (and 1 other pod): hostPath volumes namespace/kube-system labeled
Restricted
kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "restricted:latest" Warning: ckaf-kafka-0 (and 5 other pods): unrestricted capabilities, seccompProfile Warning: credential-management-5665fb95d4-ncssg (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile Warning: fluent-bit-q9d8n: allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile Warning: kowl-767d84f95f-qm5pj: allowPrivilegeEscalation != false, unrestricted capabilities, seccompProfile namespace/default labeled namespace/kube-node-lease labeled namespace/kube-public labeled Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "restricted:latest" Warning: coredns-95db45d46-skl6z (and 1 other pod): unrestricted capabilities, runAsNonRoot != true, seccompProfile Warning: etcd-docker-desktop (and 3 other pods): host namespaces, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true Warning: kube-proxy-zggs2: host namespaces, privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile Warning: storage-provisioner (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile namespace/kube-system labeled
Adding Security
References
Reference | URL |
---|---|
Apply Pod Security Standards at the Cluster Level | https://kubernetes.io/docs/tutorials/security/cluster-level-pss/ |