Skip to main content

OS Level Security Domains

Security Contexts

podsecuritycontext docs

  • controls: userID, groupID, groups
  • pod level & container level

lookup podSecurityContext for available attributes

# this is POD level
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
containers:

effectively runs as uid=1000 so no root!

container as non-root

# this is CONTAINER level
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
containers:
- command:
...
...
securityContext:
runAsNonRoot: true
dnsPolicy: ClusterFirst

Privileged

what it means = container user=0 directly maps to host user=0 (root)

default is unprivileged

enable via cli: docker run --privileged

enable via securityContext like:

# this is CONTAINER level
spec:
containers:
- command:
...
...
securityContext:
privileged: true
dnsPolicy: ClusterFirst

privesc

by default, k8s allows privesc via allowPrivilegeEscalation set to true by default.

disable

# this is CONTAINER level
spec:
containers:
- command:
...
...
securityContext:
allowPrivilegeEscalation: false
dnsPolicy: ClusterFirst

Pod Security Policies (deprecated)

enable via kube-apiserver.yaml - add to the command - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy

example yaml and just add what policices you want

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: default
spec:
privileged: false # Don't allow privileged pods!
allowPrivilegeEscalation: false # added
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'

Understand: If you enable PSP, then using PSP will be enforced on all resources, whoever is creating the resources must be able to see this default PSP to use it. If I k create deploy nginx --image=nginx this will NOT work but if I do k run nginx --image=nginx it WORKS.

Why? because I am admin when I call the resource to be created i.e. pod/nginx but when I'm calling deploy the deploy resource calls the pod create resource but doesn't have admin permissions to read the PSP to create the resource.

solution? give the default service account to SEE the PSP. Create a role and bind it to the default service account to see the resource podsecuritypolicies

i.e.

k create role psp-access --verb=use --resource=podsecuritypolicies
k create rolebinding psp-access --role=psp-access --serviceaccount=default:default