Kubernetes Security

Kubernetes Security

Pod Security Policy Demo 
civo k3s create --wait --version=development
--enable-admission-plugins=...,PodSecurityPolicy
-------------
apiVersion: v1
kind: Pod
metadata:
  name: sammy
spec:
  containers:
    - name:  sammy
      image: busybox
      args: ["sleep", "10000"]
      
      
kubectl exec -it saiyam sh  
uid=0(root) gid=0(root) groups=10(wheel)


PSP 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: sammy
spec:
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

==========================
apiVersion: v1
kind: Pod
metadata:
  name: sammy
spec:
  containers:
    - name:  sammy
      image: busybox
      args: ["sleep", "10000"]
      securityContext:
        runAsUser: 1000
        
===========================
Kube bench demo 
For control plane components
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest master

For node configuration
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest node
===========================

Kube-hunter demo 

============================
RBAC Demo 
kubectl create serviceaccount saiyam
serviceaccount/saiyam created

kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-z6mhg   kubernetes.io/service-account-token   3      121m
saiyam-token-pgpj7    kubernetes.io/service-account-token   3      21s

kubectl get secret <name> -oyaml 
copy the token or 
kubectl get secret $(kubectl get serviceaccount saiyam -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}'

got o jwt.io website 


kubectl run -it --rm demo --restart=Never --serviceaccount=saiyam --image=alpine -- sh
cat /var/run/secrets/kubernetes.io/serviceaccount/


============
RBAC 
kubectl get clusterrole
kubectl describe clusterrole view
kubectl create ns test
kubectl -n test create serviceaccount saiyam-account
kubectl -n test create role saiyam \
> --verb=get --verb=list --verb=create --resource=pods
kubectl -n test describe role saiyam 
kubectl -n test create rolebinding sam --role=saiyam --serviceaccount=test:saiyam-account
kubectl -n test describe rolebinding/sam
kubectl auth can-i --as=system:serviceaccount:test:saiyam-account list pods
kubectl auth can-i -as=system:serviceaccount:default:saiyam delete pods

============


================================
kube-hunter
================================
kubie
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.7/samples/bookinfo/platform/kube/bookinfo.yaml




Netowrk policy - https://kubernetes.io/docs/concepts/services-networking/network-policies/
secrets - https://kubernetes.io/docs/concepts/configuration/secret/
Security Context - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/


references:
https://sysdig.com/wp-content/uploads/2019/01/kubernetes-security-guide.pdf