Kubernetes Commands for Enhancing Security

The guide above explains the commands used in Kubernetes for security. It focuses on three critical settings that enhance container security and enforce least privilege principles:

allowPrivilegeEscalation

This policy prohibits privilege escalation within the pod. The securityContext.allowPrivilegeEscalation setting must be set to false, and it cannot be set to true or left unset. This helps to limit access to host resources that might mistakenly get exposed to the container, thereby enhancing security by preventing containers from running with root privileges.

Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: true  # This violates the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      # This violates the rule (securityContext.allowPrivilegeEscalation is unset)

Compliant Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        allowPrivilegeEscalation: false  # Compliant with the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      securityContext:
        allowPrivilegeEscalation: false  # Compliant with the rule

runAsUser

This policy prohibits processes from running as the root user. In UNIX operating systems, the root user has a User ID (UID) value of 0, which gives full access to the system. Therefore, to ensure security, the securityContext.runAsUser property MUST be left empty (unset) or explicitly set to a value greater than 0. This policy aims to prevent processes from gaining elevated privileges, thereby reducing the potential risk of exploitation or abuse of the system.

Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsUser: 0  # This breaks the rule
  containers:
  - name: example-container
    image: nginx
    securityContext:
      runAsUser: 0 # This breaks the rule

Compliant Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsUser: 1001  # Compliant with the rule
  containers:
  - name: example-container
    image: nginx
    # Compliant with the rule (securityContext.allowPrivilegeEscalation is unset)

runAsNonRoot

This policy prohibits processes from running as the root user inside a Pod. Therefore, the securityContext.runAsNonRoot property MUST be set to true. This value must not be set to false or left empty (unset). This policy ensures security by forcing all processes to run using a non-root user, reducing the risk of exploits associated with elevated privileges.

Initial Example

apiVersion: v1
kind: Pod
metadata:
  name: example-pod
spec:
  initContainers:
  - name: example-init-container
    image: busybox
    securityContext:
      runAsNonRoot: false  # This breaks the rule
  containers:
  - name: example-container
    image: nginx
    # This violates the rule (securityContext.runAsNonRoot is unset)

Compliant Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
    - name: main-container
      image: nginx
      securityContext:
        runAsNonRoot: true # Compliant with the rule
  initContainers:
    - name: init-container
      image: busybox
      command: ["sh", "-c", "echo Init container running"]
      securityContext:
        runAsNonRoot: true # Compliant with the rule

Tutorial

The following video explains the 3 implementations of the Kubernetes security configuration command previously explained in this guide.

Make sure you can access the Pod/Container that you have.

The following are the contents of the privileged-pod.yaml file used.

apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
spec:
  containers:
  - name: main-container
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      runAsUser: 1001
      runAsRoot: false
  initContainers:
  - name: init-container
    image: busybox
    command: ["sh", "-c", "echo Init container running"]
    securityContext:
      allowPrivilegeEscalation: false
      runAsUser: 1001
      runAsRoot: false

PreviousHow to use kubeconfig on Windows NextHow to add GPU in Kubernetes

Last updated 4 months ago