Kubernetes Commands for Enhancing Security
The guide above explains the commands used in Kubernetes for security.
In this guide there are three security configuration settings used, including the following:
disallow-privilege-escalation
This policy prohibits privilege escalation within the pod. The securityContext.allowPrivilegeEscalation setting must be set to false, and it cannot be set to true or left unset. This helps to limit access to host resources that might mistakenly get exposed to the container, thereby enhancing security by preventing containers from running with root privileges.
Initial Example
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: main-container
image: nginx
securityContext:
allowPrivilegeEscalation: true # This violates the rule
initContainers:
- name: init-container
image: busybox
command: ["sh", "-c", "echo Init container running"]
# This violates the rule (securityContext.allowPrivilegeEscalation is unset)Compliant Example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
containers:
- name: main-container
image: nginx
securityContext:
allowPrivilegeEscalation: false # Compliant with the rule
initContainers:
- name: init-container
image: busybox
command: ["sh", "-c", "echo Init container running"]
securityContext:
allowPrivilegeEscalation: false # Compliant with the rulerun-as-non-root-user
This policy prohibits processes from running as the root user. In UNIX operating systems, the root user has a User ID (UID) value of 0, which gives full access to the system. Therefore, to ensure security, the securityContext.runAsUser property MUST be left empty (unset) or explicitly set to a value greater than 0. This policy aims to prevent processes from gaining elevated privileges, thereby reducing the potential risk of exploitation or abuse of the system.
Initial Example
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
initContainers:
- name: example-init-container
image: busybox
securityContext:
runAsUser: 0 # This breaks the rule
containers:
- name: example-container
image: nginx
securityContext:
runAsUser: 0 # This breaks the ruleCompliant Example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
initContainers:
- name: example-init-container
image: busybox
securityContext:
runAsUser: 1001 # Compliant with the rule
containers:
- name: example-container
image: nginx
# Compliant with the rule (securityContext.allowPrivilegeEscalation is unset)run-as-non-root
This policy prohibits processes from running as the root user inside a Pod. Therefore, the securityContext.runAsNonRoot property MUST be set to true. This value must not be set to false or left empty (unset). This policy ensures security by forcing all processes to run using a non-root user, reducing the risk of exploits associated with elevated privileges.
Initial Example
apiVersion: v1
kind: Pod
metadata:
name: example-pod
spec:
initContainers:
- name: example-init-container
image: busybox
securityContext:
runAsNonRoot: false # This breaks the rule
containers:
- name: example-container
image: nginx
# This violates the rule (securityContext.runAsNonRoot is unset)Compliant Example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
containers:
- name: main-container
image: nginx
securityContext:
runAsNonRoot: true # Compliant with the rule
initContainers:
- name: init-container
image: busybox
command: ["sh", "-c", "echo Init container running"]
securityContext:
runAsNonRoot: true # Compliant with the ruleTutorial
The following video explains the 3 implementations of the Kubernetes security configuration command previously explained in this guide.
Make sure you can access the Pod/Container that you have.
The following are the contents of the privileged-pod.yaml file used
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
Containers:
- name: main-container
image: nginx
securityContext:
allowPrivilegeEscalation: false
runAtUser: 1001
runAsRoot: true
initcontainers:
- name: init-container
image: busybox
command: ["sh", "-c", echo Init container running"]
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1001
runAsRoot: falseLast updated