Page cover

Kubernetes Commands for Enhancing Security

The guide above explains the commands used in Kubernetes for security.

In this guide there are three security configuration settings used, including the following:

disallow-privilege-escalation

This policy prohibits privilege escalation within the pod. The securityContext.allowPrivilegeEscalation setting must be set to false, and it cannot be set to true or left unset. This helps to limit access to host resources that might mistakenly get exposed to the container, thereby enhancing security by preventing containers from running with root privileges.

Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: true  # This violates the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      # This violates the rule (securityContext.allowPrivilegeEscalation is unset)

Compliant Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: false  # Compliant with the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      securityContext:
        allowPrivilegeEscalation: false  # Compliant with the rule

run-as-non-root-user

This policy prohibits processes from running as the root user. In UNIX operating systems, the root user has a User ID (UID) value of 0, which gives full access to the system. Therefore, to ensure security, the securityContext.runAsUser property MUST be left empty (unset) or explicitly set to a value greater than 0. This policy aims to prevent processes from gaining elevated privileges, thereby reducing the potential risk of exploitation or abuse of the system.

Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsUser: 0  # This breaks the rule
  containers:
  - name: example-container
    image: nginx
    securityContext:
      runAsUser: 0 # This breaks the rule

Compliant Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsUser: 1001  # Compliant with the rule
  containers:
  - name: example-container
    image: nginx
    # Compliant with the rule (securityContext.allowPrivilegeEscalation is unset)

run-as-non-root

This policy prohibits processes from running as the root user inside a Pod. Therefore, the securityContext.runAsNonRoot property MUST be set to true. This value must not be set to false or left empty (unset). This policy ensures security by forcing all processes to run using a non-root user, reducing the risk of exploits associated with elevated privileges.

Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsNonRoot: false  # This breaks the rule
  containers:
  - name: example-container
    image: nginx
    # This violates the rule (securityContext.runAsNonRoot is unset)

Compliant Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        runAsNonRoot: true # Compliant with the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      securityContext:
        runAsNonRoot: true # Compliant with the rule

Tutorial

The following video explains the 3 implementations of the Kubernetes security configuration command previously explained in this guide.

The following are the contents of the privileged-pod.yaml file used

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  Containers:
  - name: main-container
    image: nginx
	securityContext:
	 allowPrivilegeEscalation: false
	 runAtUser: 1001
	 runAsRoot: true
  initcontainers:
  - name: init-container
    image: busybox
	command: ["sh", "-c", echo Init container running"]
	securityContext:
	 allowPrivilegeEscalation: false
	 runAsUser: 1001
	 runAsRoot: false

Last updated