Skip to content

Instantly share code, notes, and snippets.

@cmwylie19

cmwylie19/SecurityContexts.md

Last active November 18, 2024 20:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save cmwylie19/3306d24df0749971aad0843c2b36654d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save cmwylie19/3306d24df0749971aad0843c2b36654d to your computer and use it in GitHub Desktop.
Download ZIP
Pepr Project Cruising Session
Raw
SecurityContexts.md

Understanding SecurityContexts

Pods and Containers both have security contexts. These contexts dictate the behavior of what the object is allowed to do.

Demo

Create a cluster where we simulate UDS Core or a K8s offering from a major cloud provider (control plane off limits)

k3d cluster create security-context-demo --k3s-arg '--kube-apiserver-arg=enable-admission-plugins=PodSecurity@server:*'

Create a namespace that is configured by PodSecurityPolicy to reject Privilege Escalation

kubectl apply -f -<<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: restricted-namespace
  labels:
    pod-security.kubernetes.io/enforce: "restricted"
    pod-security.kubernetes.io/enforce-version: "latest"
EOF

Create an nginx webserver pod that attempts to escalate privilege.

kubectl apply -f -<<EOF
apiVersion: v1
kind: Pod
metadata:
  name: nginx-priv-escalation
  namespace: restricted-namespace
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: nginx:latest
    ports:
    - containerPort: 80
    volumeMounts:
    - name: html-volume
      mountPath: /usr/share/nginx/html
    command: ["/bin/sh"]
    args:
      - "-c"
      - |
        echo '<h1>Privilege Escalation Attempt</h1>' > /usr/share/nginx/html/index.html && \
        touch /root/test && \
        nginx -g 'daemon off;'
  volumes:
  - name: html-volume
    emptyDir: {}
EOF

output

Error from server (Forbidden): error when creating "STDIN": pods "nginx-priv-escalation" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Patch the PSS for the namespace

kubectl label namespace restricted-namespace pod-security.kubernetes.io/enforce=baseline --overwrite
  • Recreate the pod *

Create a service from the pod

k expose po nginx-failed-elevation -n restricted-namespace

Port forward the service locally

k port-forward svc/nginx-failed-elevation 3000:80 -n restricted-namespace

Moral of the story here is that you must understand the securityContext that is needed by the app that you are deploying in order to understand which UDSExemption should be applied.

Delete the cluster

k3d cluster delete security-context-demo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment