Skip to content

Instantly share code, notes, and snippets.

@ams0

ams0/## CKS notes December 2020.md

Last active November 12, 2021 10:51
Show Gist options
  • Save ams0/b18a44be0569e992d086098f91f56466 to your computer and use it in GitHub Desktop.
Save ams0/b18a44be0569e992d086098f91f56466 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
## CKS notes December 2020.md

CKS notes December 2020

General

Backup config files!!

alias k=kubectl

sudo runc --root /run/containerd/runc/k8s.io list

pstree -a

Keep containers up image: ubuntu command: ["/bin/bash", "-c", "sleep 3600"]

Links

https://github.com/echoboomer/k8s-cks-notes https://github.com/abdennour/certified-kubernetes-security-specialist https://github.com/ibrahimjelliti/CKSS-Certified-Kubernetes-Security-Specialist

Immutable pods (ref)

securityContext:
  readOnlyRootFilesystem: true

and add emptyDir volumes

ImagePolicyWebhook

enable it in /etc/kubernetes/manifests/kube-apiserver.yaml --admission-control=ImagePolicyWebhook,MutatingAdmissionWebhook --admission-control-config-file=path-to-admission-config.yaml

MOUNT THE FILE in the /etc/kubernetes/manifests/kube-apiserver.yaml !!! https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook check the file with AdmissionConfiguration (given)

PSP

enable it in /etc/kubernetes/manifests/kube-apiserver.yaml spec: containers:

  • command:
  • kube-apiserver
  • --advertise-address=192.168.101.11
  • --allow-privileged=true
  • --anonymous-auth=true
  • --authorization-mode=Node,RBAC
  • --client-ca-file=/etc/kubernetes/pki/ca.crt
  • --enable-admission-plugins=NodeRestriction,PodSecurityPolicy # change

Disable priv containers

apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: my-psp spec: privileged: false # Prevents creation of privileged Pods seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes:

  • '*'

Pods using secrets via SA (ref)

Just create an SA in a namespace and use in the pod:

spec: serviceAccountName: secret-manager

it will have rights on secrets

Fix Dockerfiles

Create secret/mount in pod as vol

kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret

AppArmor

apply profile with apparmor_parser sudo cat /sys/kernel/security/apparmor/profiles | sort

NOTE: LOCALHOST!!

annotations: container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write

Network policy

Can combine both namespaceSelector and podselector: spec: podSelector: matchLabels: app: postgres ingress:

  • from:
    • namespaceSelector: {} podSelector: matchLabels: app: admin policyTypes:
  • Ingress

Audit logs

https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend

Remember to mount the volume in /etc/kubernetes/manifests/kube-apiserver.yaml and apply the policy

/etc/kubernetes/audit/policy.yaml

apiVersion: audit.k8s.io/v1 kind: Policy rules:

log Secret resources audits, level Metadata

  • level: Metadata resources:
  • group: "" resources: ["secrets"]

log node related audits, level RequestResponse

  • level: RequestResponse userGroups: ["system:nodes"]

for everything else don't log anything

  • level: None

CIS bench

master: /etc/kubernetes/manifests/kube-apiserver.yaml - --authorization-mode=Node,RBAC

node /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

k delete po -n kube-system kube-apiserver-cks sudo systemctl restart kubelet

Falco scanning

Container runtimeClass

kubelet args:

--container-runtime --container-runtime-endpoint

You use spec.runtimeClassName to associate a Pod with a given RuntimeClass.

cat /etc/containerd/config.toml disabled_plugins = ["restart"] [plugins.linux] shim = "/usr/local/bin/gvisor-containerd-shim" shim_debug = true [plugins.cri.containerd.runtimes.runsc] runtime_type = "io.containerd.runtime.v1.linux" runtime_engine = "/usr/bin/runsc" runtime_root = "/run/containerd/runsc"

/opt/course/10/arguments

--container-runtime remote --container-runtime-endpoint unix:///run/containerd/containerd.sock

Raw
minio-azureblob.sh
#Create storage
RG=minio
export AZURE_STORAGE_ACCOUNT=azureminio
az group create -g $RG
az storage account create -g $RG -n $AZURE_STORAGE_ACCOUNT
export AZURE_STORAGE_KEY=`az storage account keys list -g $RG -n $AZURE_STORAGE_ACCOUNT --query "[0].value" -o tsv`
#Install Minio
helm repo add minio https://helm.min.io/
#note: defaultBucket.name cannot be "minio"!
helm upgrade --install --namespace minio --create-namespace minio minio/minio \
--set azuregateway.enabled=true \
--set azuregateway.replicas=1 \
--set defaultBucket.enabled=true --set defaultBucket.name=default \
--set accessKey=$AZURE_STORAGE_ACCOUNT,secretKey=$AZURE_STORAGE_KEY
export POD_NAME=$(kubectl get pods --namespace minio -l "release=minio" -o jsonpath="{.items[0].metadata.name}"); kubectl port-forward $POD_NAME 9000 --namespace minio
open localhost:9000
#test pod access
kubectl run minioclient --image minio/mc --command -- sleep 3600
kubectl exec minioclient mc config host add myminio http://minio.minio:9000 $AZURE_STORAGE_ACCOUNT $AZURE_STORAGE_KEY
kubectl exec minioclient mc ls myminio/
kubectl delete po minioclient
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment