For the reasons of security, many container deployments nowadays run their workloads in a scratch based image. This form of implementation helps reduce the attack surface since there is no shell to gain access to, especially if someone were to break out of the application.
Seccomp helps us limit the system calls the process inside container can make. And
PodSecurityPolicy is the way to enable it on pods in Kubernetes.
File capabilities allow users to execute programs with higher privileges. Best example is network utility
Here are simple steps that you can follow to prove that the
root user inside container is also
root on the host. And how to mitigate this.
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications. Seccomp filtering provides a means for a process to specify a filter for incoming system calls.
A volume mount CVE was discovered in Kubernetes 1.9 and older which allowed access to node file system using
emptyDir volume mount using subpath. The official description goes as follows:
Few days back I wrote a blog about adding new node to the cluster using the static token file. The problem with that approach is that you need to restart
kube-apiserver providing it the path to the token file. Here we will see how to use the bootstrap token, which is very dynamic in nature and can be controlled by using Kubernetes resources like
I enabled PodSecurityPolicy on a minikube cluster by appending
PodSecurityPolicy to the apiserver flag in minikube like this:
The setup here is created by following Kubernetes the Hard Way by Kelsey Hightower. So if you are following along in this then do all the setup till the step Bootstrapping the Kubernetes Worker Nodes. In this just don’t start the
kubelet, start other services like
Start a single node fedora machine, using whatever method but I have used this Vagrantfile to do it: