Skip to main content

OS Level Security Domains

Security Contexts#

podsecuritycontext docs

  • controls: userID, groupID, groups
  • pod level & container level

lookup podSecurityContext for available attributes

# this is POD levelspec:  securityContext:    runAsUser: 1000    runAsGroup: 3000  containers:

effectively runs as uid=1000 so no root!

container as non-root#

# this is CONTAINER levelspec:  securityContext:    runAsUser: 1000    runAsGroup: 3000  containers:  - command:  ...  ...    securityContext:      runAsNonRoot: true  dnsPolicy: ClusterFirst

Privileged#

what it means = container user=0 directly maps to host user=0 (root)

default is unprivileged

enable via cli: docker run --privileged

enable via securityContext like:

# this is CONTAINER levelspec:  containers:  - command:  ...  ...    securityContext:      privileged: true  dnsPolicy: ClusterFirst

privesc#

by default, k8s allows privesc via allowPrivilegeEscalation set to true by default.

disable

# this is CONTAINER levelspec:  containers:  - command:  ...  ...    securityContext:      allowPrivilegeEscalation: false  dnsPolicy: ClusterFirst

Pod Security Policies (deprecated)#

enable via kube-apiserver.yaml - add to the command - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy

example yaml and just add what policices you want

apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata:  name: defaultspec:  privileged: false  # Don't allow privileged pods!  allowPrivilegeEscalation: false # added  # The rest fills in some required fields.  seLinux:    rule: RunAsAny  supplementalGroups:    rule: RunAsAny  runAsUser:    rule: RunAsAny  fsGroup:    rule: RunAsAny  volumes:  - '*'

Understand: If you enable PSP, then using PSP will be enforced on all resources, whoever is creating the resources must be able to see this default PSP to use it. If I k create deploy nginx --image=nginx this will NOT work but if I do k run nginx --image=nginx it WORKS.

Why? because I am admin when I call the resource to be created i.e. pod/nginx but when I'm calling deploy the deploy resource calls the pod create resource but doesn't have admin permissions to read the PSP to create the resource.

solution? give the default service account to SEE the PSP. Create a role and bind it to the default service account to see the resource podsecuritypolicies

i.e.

k create role psp-access --verb=use --resource=podsecuritypoliciesk create rolebinding psp-access --role=psp-access --serviceaccount=default:default