Proper securing of containers, beams, and running loads at Kubernetes is challenging. However, it is a critical part of protecting the environment, as the consequences can be far-reaching.

Because containers and beams are individual units of account, they are often subjected to aggressive attacks on Kubernetes clusters. However, Kubernetes offers some key original features to protect your beams.

Pods are the smallest resource to be deployed and managed in Kubernetes. By monitoring security at this level, DevOps teams achieve more precise control over individual application components.

Kubernetes workloads have several different settings that have a direct or indirect impact on safety. As a result, their proper implementation requires considerable knowledge. In this scenario, one incorrect configuration can compromise the entire application. There comes a security context.

What are the context settings for Kubernetes security?

Kubernetes tools, such as security context settings, allow each container and pod to increase security and avoid potential security issues. The Kubernetes security context includes tools such as Open Policy Agent (OPA) gatekeeper and policies such as Pod security policies. However, attaching tanks and pods is not easy due to lack of information.

“Safety context” means, in principle, specific restrictions on access at a single pod level defined while driving. Such settings include a wide range of configurations, such as the following:

  • System level features
  • Container master file system complete (or not)
  • Run privileged (or not)
  • Access control based on UID and GID

Getting these settings and configurations correctly is the first step in strengthening your environment. As such, we must proceed cautiously in implementing each regulation.

Pod-level security context

The primary goal is to reduce risk by limiting the pod’s ability to be compromised in an attack. In the same way, we also try to limit the explosion radius of the attack that spreads beyond the set of containers.

As such, you can configure the settings for each pod in the security context field of the pod list. You can also take advantage of the pod security context object and save the relevant security attributes using the Kubernetes API.

The security context of the pod layer also results in the setting being used when installing on drives. If necessary, match the fsGroup specified in the security context.

Container level security context

You can also apply restrictions to containers that pass in a particular pod through a pod-level security context. If you do not want the same setting to be used for all containers in a particular pot, you can specify its container level through the security context.

 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2 # tells deployment to run 2 pods matching the template
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80	

Example of an Nginx installation list without a SecurityContext option.

To achieve this, the container list must have a security context field. In this situation, the values ​​in the container.securityContext field would trump the values ​​in the PodSecurityContext field. This means that individual storage restrictions override the inconsistencies or overlaps assigned to the beams.

 
package magalix.advisor.podSecurity.securityContext
 
violation[result] {
  not controller_spec.securityContext
  result = {
    "issue detected": true,
    "msg": "The securityContext for your spec has not been set."
  }
}
 
violation[result] {
  containers := controller_spec.containers[_]
  not containers.securityContext
  result = {
    "issue detected": true,
    "msg": "The securityContext for your containers have not been set."
  }
}
# controller_container acts as an iterator to get containers from the template
controller_spec = input.spec.template.spec {
  contains_kind(input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"})
} else = input.spec {
  input.kind == "Pod"
} else = input.spec.jobTemplate.spec.template.spec {
  input.kind == "CronJob"
}
 
contains_kind(kind, kinds) {
  kinds[_] = kind
}	

REGO policy, which is inconsistent when testing the Nginx example above.

However, container security contexts never replace pod security contexts. This is because the pod protection context only applies to pod volumes.

Container vs. Pod settings

Kubernetes security context settings are configured in both the ContainerSpec and PodSpec APIs. In this scenario, the scope is marked [C] and this [P] markings. Whenever a setting is available and configured for both zones, tank settings always take precedence.

Security context settings are comprehensive, and some of the most popular are:

1- RunAsUser / RunAsGroup [P/C]

Often, we configure processes to act as a specific user and / or group container pictures. Sometimes these are ignored in the runAsUser and runAsGroup configuration settings. However, you cannot configure it in conjunction with volume fasteners with files that contain duplicate ownership IDs.

However, it is a bad idea to use such settings because there is a risk of making runtime decisions for the tank that are not compatible with the image of the original tank. Also, if you specify another user, it will still fail because the user does not exist in the original image file.

While it is undoubtedly a good idea not to run container processes as an administrator, this cannot be guaranteed with the runAsUser or runAsGroup settings. These settings can be removed later, but be sure to set runAsNonRoot to true.

2- Run AsNonRoot [P/C]

Although repositories use c-groups and namespaces to restrict some of their processes, one incorrect configuration in deployment settings allows access to host resources. If the process is run as an administrator, it has the same access to resources as the root account of the host.

If you use other containers or bars to minimize constraints, the presence of a root UID increases the risk of exploitation. So, unless there is a good reason to do so, never use a container as a root.

3- ProcMount [C]

In an attempt to avoid potential security issues, some parts of the proc file system are covered by containers at runtime by default. But sometimes access to these certain parts is required, especially when nested containers are part of the internal structure of the cluster.

In this scenario, you have two options. You can reveal and remove all overlays from the proc file system or go to the default settings with the runtime behavior of a regular container. Users of this type of marking need to know what they are doing and should only do so when handling nested containers.

Pod-Security Policy

Pod Security Policy (PSP) describes a cluster-level resource used to control pod behavior. This approach uses practice to say what it can and cannot do by defining pod-level standards. Use the access controller to enable PSPs or use the least number of permissions. Before you create a pod in namespace, you can check it with the Admission Controller.

The main difference here is that the PSP is a cluster-level resource that we implement before pod configurations come to be implemented on any controller. The security context is defined and configured at the container or pod level during execution.

Change the protection to the left and force the Policy-As-Code

DevOps teams can also add an extra level of security by integrating the policy-as-code feature. When you force security programmatically, you create developer-centric experiences during the deployment of cloud-based applications.

Utilizing automated operators, you can also constantly monitor archives for changes to the Kubernetes cluster or cloud infrastructure. The automatic update starts whenever a change is detected.

Shifting security to the left will help DevOps Teams normalize hybrid environments. It is an approach that allows DevOps teams to achieve exceptional levels of governance in all clusters from a single source of truth. It also helps maintain a solid security position while accelerating innovation.

At Magalix, we help DevOps Teams move security to the left and implement robust workflows and game books that ensure security and compliance.

LEAVE A REPLY

Please enter your comment!
Please enter your name here