You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Overview

We want to configure strict enforcement of rules to limit unauthorized manipulation of our kubernetes cluster.

Testing Out Violations Base on Pod Security Policy


Privileged

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=privileged
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
namespace/kube-system labeled


Baseline

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "baseline:latest"
Warning: fluent-bit-q9d8n: hostPath volumes
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "baseline:latest"
Warning: etcd-docker-desktop (and 3 other pods): host namespaces, hostPath volumes
Warning: kube-proxy-zggs2: host namespaces, hostPath volumes, privileged
Warning: storage-provisioner (and 1 other pod): hostPath volumes
namespace/kube-system labeled


Restricted

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "default" violate the new PodSecurity enforce level "restricted:latest"
Warning: ckaf-kafka-0 (and 5 other pods): unrestricted capabilities, seccompProfile
Warning: credential-management-5665fb95d4-ncssg (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: fluent-bit-q9d8n: allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
Warning: kowl-767d84f95f-qm5pj: allowPrivilegeEscalation != false, unrestricted capabilities, seccompProfile
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
Warning: existing pods in namespace "kube-system" violate the new PodSecurity enforce level "restricted:latest"
Warning: coredns-95db45d46-skl6z (and 1 other pod): unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: etcd-docker-desktop (and 3 other pods): host namespaces, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true
Warning: kube-proxy-zggs2: host namespaces, privileged, allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
Warning: storage-provisioner (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, restricted volume types, runAsNonRoot != true, seccompProfile
namespace/kube-system labeled


Adding Security



References

ReferenceURL
Apply Pod Security Standards at the Cluster Levelhttps://kubernetes.io/docs/tutorials/security/cluster-level-pss/


  • No labels

Copyright JMEHAN.COM