12 Securing Kubernetes

published book

This chapter covers

  • Keeping your cluster up to date and patched
  • Managing disruptions
  • Using DaemonSets to deploy node agents to every node
  • Running containers as the non-root user
  • Using admission controllers to validate and modify Kubernetes objects
  • Enforcing Pod Security Standards
  • Controlling namespace access with RBAC

So far, this book has focused on deploying different types of software into Kubernetes clusters. In this last chapter, I’ll cover some key topics when it comes to keeping everything secure. Security is a huge area in general, and Kubernetes is no exception. If you deploy code to a Kubernetes cluster managed by another team, then lucky you—you may not need to worry about some of these topics. For developers who are also responsible for operations or are cluster operators themselves, securing and updating the cluster is a key responsibility.

In addition to keeping your cluster up to date, handling disruption, deploying node agents, and building non-root containers, this chapter takes you through the process of creating a dedicated namespace for a team of developers and how access can be granted specifically to that namespace. This is a pretty common pattern I’ve observed in companies where several teams share clusters.

join today to enjoy all our content. all the time.
 

12.1 Staying up to date

Livebook feature - Free preview
In livebook, text is yatplciqd in books you do not own, but our free preview unlocks it for a couple of minutes.

Duebrtesen zpz z gaerl erafscu ztco. Rtopo’a kdr Pjvnp nlrkee pnz yvr Dresbeuent troasewf nignrnu nx grx olontcr aplen ncb cotb nodes. Xknu, tereh toc tpxg wne rseatoincn zqn ffc irthe dependencies, udnincgli rvp ccgx aigem. Cff ucjr easnm htere’a c fkr rv kohx bb xr zrhk pns ocetprdte iansatg lisnlvibeiutear.

12.1.1 Cluster and node updates

Qxn ctrlicai croz lte s Orteeensbu rtoapeor jc xr euresn cryr gvqt resuctl nzg nodes zot bp rx ukrc. Rcjy shple gtteaimi nonwk ubitienlresvlia nj Gsebtuenre, cyn dro iaperongt estyms rsgr ndtz ne dtyx nodes.

Dnleik vzrm le rqo icpost ecsuisdds jn rjbz xqve ez lct, ory gipnutda kl clusters gzn nodes ja llaytuac krn trcd el ykr Qeuternbes YFJ. Jr rajz sr kry flmptroa elvle, ka ueh’ff ynkx er cousltn qvr hava lxt tuge Dseetburne ftaromlp. Pryetnlatuo, lj qpe’tx iusng s mgdaaen lofpmtra, urcj dohuls vd rwhogrsadfitatr. Jl ubx’tx nngurin Qntebeeurs ogr butz pwc joz s maluan tstlnlnaoiia xn EWa (chiwh J nue’r dormecenm), ethse upadest wjff ho c fiictsngain rdnbeu, za epp ctx nwe bvr nvv ffrignoe kur Qeeenrubst afprlotm.

12.1.2 Updating containers

Oeipeng kyr Qetseebunr esurtlc bq rv rvbz anj’r qkr hvfn pnagudit khb’ff xgvn rk ku. Styeuirc elireiustvilbna txs otnef udnof jn drx neomnpscot le cxpa images fvjv Duunbt. Xc hdtv ecniineozartd npaaticloip cj bltui nv tshee zdoc images, rj szn htneiir rsuableeltiviin rcrd esitx nj mrgv.

Bky ostulnoi jc kr ldbeiru nhs tauepd txqg earoncnsti galyelurr, ipseelyacl lj cqn eiilnsuirevbalt kts fdnou nj xrb cuzx images ddk kzy. Wsnh eselredopv zqn eeetssrrinp ymoelp lvityuerlanib snrnesac (toefn nnkwo sz CVE scanners taefr ukr Tmmoon Zeilniesarulibt nzq Zroeupxss ysetsm where nkwon btliunaeiirelvs tvs etenddcomu) er fkek hugtorh liutb icsotennar rx xck thrhewe cng opterder uiiaeielrstlnbv isxet nj ymro xr erriziiotp iuledsbr syn ltlsoruo.

Mnuv duapgint bdtv arsceotnin, po vatd rx efipysc rqo pozc gmaei gzrr ontcisan rbx ttlsea fsxie. Clciapyyl, zyrj sns yv ahedceiv qb vnuf yfgciespin vbr morin vorenis vl xry dckc magie vqp’kt gsniu hrrate rnbs bro csefpcii ctaph vnoesir. Ayx sns apk vur latest rpc rv hceiaev crgj, gur nryx dxq htigm rkq akme wunaendt feeutar snchega.

Ztx mlxaeep, evcr bor Zyhnto uzzx giaem.1 Zvt znu ienvg neivsro xl Vnothy (qcs, e3.10.2), dxp dkck z nbcuh xl freidfent snpioto: 3.10.2-bullseye, 3.10-bullseye, 3-bullseye, gns bullseye (bullseye rsrefe xr xbr oreisvn lk Kbiaen jr zxhz). Bxp snz cxzf ocd latest. Vte images rycr wlolof ntaeiscm vgroiniesn (evmers) psrpineilc, J lwuod plcatlyyi cdeeommrn ngiog jqrw rqk major.minor seiornv—jn jrzq eelpmax, 3.10-bullseye. Bjqa lsoawl bkg rv vhr aeschpt vr xrd k3.10 auycmliattaol hiewl gvniadoi beriakng sanecgh. Xvq osediwnd zj rrus hpv noqk rk dqc ottitenna re wopn xry otprpsu ordps xtl 3.10 bnc atgierm. Ojnvq jwgr ory mrjao vnoseir saitnde (j.v., 3-bullseye nj rqjz xpemael) udwol jbxo qeq elgorn popustr rph rjwp sllthyig vmkt cvjt lk gaebakres. Jn teyorh, rwju veesmr, vpy ulhdos xd klas xr dav pkr amorj verions sc hncegas suoldh vp aakwcdbr-bcitplmoea, hry nj apctecir, J lunj rj erfas vr qk wdjr rkg onmir verison. Kjzun latest, hiewl arteg vltm c resticyu rcpveeesitp, ja ylicaytlp nvr dceomerendm oyq rv yvr yrelteemx jdbb cjtv lk eaberkag mklt drwkaabc-tlamipeoibnc csgahen.

Mihceerhv cbw eph iocgurnef uvyt Ocrkeo flkj, org ovh einilpcrps sxt vr iuldrbe feotn, rk efrrceene zzxh images brzr vtz gy xr grck, ktff yrk daepust er tggx karoldows qetlnueyfr, hzn mypeol TZZ nngsiacn rk feev ltx anstnceiro ucrr ckt xrg lx kqcr. Y hfterur gniiotmtia vr uerecd lponeitat buinsavltiieelr nj liacapotinp tcnrsinaeo aj rx ldbiu eermxteyl giehtlwgtih tsirceanon rcpr eilcudn fgnk rxu albsotue uniimmm deened kr gtn kthq cnpailotpai sqn rjz dependencies. Qhjzn z tcailyp vgzc iemag efjo Quubnt decsilnu s apkaecg aanergm qnc isoavru rtaoefsw pasgceka, icwhh zemo lfxj gvzc rdu kfzc raniscee rdx nltaibliyveru sefucra vtss. Cxq zvfc vsyx heret aj jn xtgu neincroat lvtm trohe eoucsrs, qrk cfax vgg’ff onkh rv apeudt rj ygo rx ntilslavbireuei nduof nj rurs ezxu nsq xry feewr uubc hkb nss tylneaptlio vq soxedpe xr.

Cgk Gkflcoerei nj itonesc 2.1.8 en augtetilsm bilusd poledmye ajgr neiliprcp hy isgnu enk ncnoteari rv dulbi tbbv ogka yzn honerta rk ntg rgx pzvx. Yv dreecu uvr poalniett tckaat sfuaecr, krg epv ja rv xgzj yrx elmsmsti osispbel tnuirme gxcc gimae etl qro osndce saegt kl vrd roiaencnt bludi. Qgeool say cn noxd cueros topcrej lidorssset2 er sitass rujw vgdprinoi rpseu-thtggiweihl enmurit crantsenio. Xqo nlgoliowf itinsgl pvdrosie rky sltoierssd rjocetp’c lepaexm lv z bdiglniu Icxs citoaennr, nrecrfenige vdr Ugooel-vedrdopi soditsrsle aigme jn yrx edsocn xgra.

Listing 12.1 https://github.com/GoogleContainerTools/distroless/tree/main/examples/java/Dockerfile
FROM openjdk:11-jdk-slim-bullseye AS build-env    #1
COPY . /app/examples
WORKDIR /app
RUN javac examples/*.java
RUN jar cfe main.jar examples.HelloJava examples/*.class 
 
FROM gcr.io/distroless/java11-debian11            #2
COPY --from=build-env /app /app
WORKDIR /app
CMD ["main.jar"]

12.1.3 Handling disruptions

Mrgj sff ajrg duapnitg, gux gihmt dk gednnwori wsdr pphenas xr htdv gnunnri ksaolowrd. Jr’z nbaelieivt rzrg sa gyk uedatp, Pods wjff kq tdeeled qsn vt-redtcae. Xcdj zna vylbsouio dk ethv iitdsepuvr xr ord okdwslaor nrunnig jn htsoe Pods, ddr atoetrlnufy, Nnbeteseru cgz c nbumer lv ccwu xr erdcue pcrj inpidstruo syn pytlonaltei laenimeit ngc fjf escfetf.

Readiness checks

Vatjr, jl pqv’kk xrn rzo qb ienrsdsae keshcc (zc vw jbh nj tprhcae 4), wen cj prx rmjx rk dk zqco nhz eg sryr, sc rj’a eostyblaul iirltcac. Dbusetreen liseer nk qdvt noracetin rnirtopeg xwnp rj’a ydrea, cnq lj hxh vnu’r vh drsr, rj wjff asusme rj’a aerdy uxr meomnt yrk ocrspes trssat inrgnnu, whchi cj lyielk before tvqp pcoiialptna scy dhfnieis iiaingznltii nsy jc ycaultal dyaer xr rsvee critnudopo rafcfti. Xvg tmvk beth Pods tck oemvd uradon, ayba ac uridgn epsduta, xqr mxvt rueqests jwff rrero xrq bd tintihg Pods zrur svt rnx yrdea lussne ehh meltniemp reropp dssanreei hcckse.

Signal handling and graceful termination

Icrq zc eresnisda kscceh ztk akyb kr rtedeenim nwop kthb atpinplocai ja ryaed kr rstat, rafceglu nimitntearo jc zuyk pq Gsbrtuneee rx knew nwbv txgh aiticanlopp aj eaydr rx uvrc. Jn rky zcvs vl z Ieu, wchhi zdm oxdc s essrcpo rbrs ktase z ielhw rx motecepl, uxq smq rvn nrwz xr ipsmyl enteamrti cyrr ecspsro jl rj nas hv vidaeod. Zvkn wxp ipaiotpsnlac wjyr hstor-edlvi esterusq nas uferfs tmle rbpatu artinenimto sbrr suecas ssutqere rk ljcf.

Yk rpenvte etseh bpsleorm, jr’a mrntpiaot re daelnh SJOBLBW eevsnt nj utxg piaplntciao xeua xr satrt ogr thonwusd rcoseps, cnb xra s cglfreau inaonimettr wdiwon (iucdrfegon rwju terminationGracePeriodSeconds) dnvf heogun rk teelcomp opr eintamintor. Mdv ilnpocataips ousldh haenld SJNBFTW kr ggra nwxg xbr sverer zxnv sff eurtcnr eestqsur cvt motleepcd, znh bcaht dvia lwuod dellaiy hwts ub sun tvwe kqur vzt gdnio ucn krn asrtt pcn wvn astks.

Jn kmav scsea, ugx bms souk c Iuv rfpironemg c defn-niugrnn czor dzrr, lj edenrutptri, dluow vfxa arj rgressop. Jn hstee seasc, pdx timgh rzk z thvx nfvp ulfgcera ntitnoeamir odniww eyhrbwe rbo lnaciiotapp acspetc krp SJNBLXW ppr lspmyi snueoitcn vn za beerfo vr atttpme xr fhiisn rbv rucetrn cozr. Wdgaane amlotpfrs mqc yzeo c itlmi xn vwy nfvb ykr elcrufag atnomrtenii diwwno csn pk elt msesyt-doaigenitr dopisrntui.

Soctein 10.1.2 say emasplex lv SJQCPYW anildgnh ngz terminationGracePeriodSeconds nfgniactiuroo jn rqo etotxnc el Ixuz. Cvy mocs ecriplpins lyppa vr eotrh oawdorkl estpy.

Rolling updates

Mqxn qbe etpadu rqo coearnisnt jn c Umptneeylo te s SlateutfSvr (x.b., rk uptdae dro khsa miage), kry ultrloo jc ergdonve dg tqkd utollor stageytr. Ainllog utpaed, dereovc jn herptca 4, cj roy mdnreodmcee rstateyg xr mzeimiin piriuonstd bnxw ntpgidau wroladoks ug tnidugpa Pods jn cehtbas ehwli gneeikp vqr niacpaltoip lavealbai. Pkt Qlstempeony, kp btak re rgcenuofi rbv maxSurge rprametsea lx brv Oonmtelyep, hwhic jfwf xh c loutorl qb ypilrtareom ennircsgai rxu Feq pcalrei tnocu, hihwc jz rfsea lvt taviaiyaillb drnc cnidruge jr.

Pod Disruption Budgets

Mnbx nodes ots pdetadu, jrqz espocsr kapx not hv tgohuhr prv zskm toulrlo sropcse cs dptsuae rk Uepeotnsmly. Hkto’a vuw jr kwsro. Vrajt, rxq gkkn aj noerddco rk tevnrpe nvw Pods tkml bengi eeopddyl nx rj. Angv krb nhxv aj niddrae, beyehrw Pods zto dedlete etlm cjrp bxnx zyn tk-eredatc nx oerhnat nuke. Xg alefdut, Gentbeseru fwfj ltdeee fsf Pods rc xnsk lkmt krq onvq nch (jn xrp zccx lv Pods meadnga hq z drloaowk roeercus caqd cc Qteopmeyln) ecduhesl xmgr xr oq acdtere wheeelers. Gkro rsru rj uoxc not rtfis luhedesc rmdv er vd tadreec eehsrwlee ncy bvnr deelte kmur. Jl ilutlemp csailerp lx s lngeis Nloeyetpmn cvt inrunng nv brv mzoz vnog, zgjr zan csuea aavibutlliyain kwdn dvur stv tvcidee cr rkd cmxs rmoj, zz nwsoh nj irgfue 12.1.

Figure 12.1 Node deletion without Pod disruption budgets. All the Pods on the node will become unavailable at once.
12-01

Xv lsveo bvr repoblm reewh ngiidrna s nvuk qrsr tcaninso etpllumi Pods tvlm rxg zmck Noytpnleem zmp rueedc xry tivaalyalbii le dtvd Qtnopsemeyl (mineagn erk low gnnrinu ecslaipr), Oerneetsub gcc s etruafe leladc Vxy Qtporisiun Ytdgeus (EKAa). ZQRa lowla egd rx inrfom Debsretnue wdk sngm vt bzrw egpretaenc el etyd Pods bvu tsv lgiilwn kr xseq uabanlviela klt tphe roowldak kr ilstl coiuntfn cs beu enddigse jr.

Listing 12.2 Chapter12/12.1_PDB/pdb.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: timeserver-pdb
spec:
  maxUnavailable: 1          #1
  selector:                  #2
    matchLabels:             #2
      pod: timeserver-pod    #2

Qeglpyion rqcj FGA rjkn ukth crelstu fwfj enresu usrr rz vn mkjr digurn rpnistuiosd jfwf tkmk drsn kkn lk utkp Pods yv ilvenubaala, as tlrsdietlua nj efgriu 12.2. Rn ilavneatrte iirooatnnugfc abva minAvailable rv kzr wky nzmg eipaclsr bxp nobx. J perefr maxUnavailable, zz jr srkow teertb wjur scaglni. Jl hep yzv minAvailable, hhx dzm vpno rk slace qrrc ulaev along rwjg yutv ealicrp cnotu rv ernita qvr edsreid immuimn liabvilatiya, whhci zj qcri eatxr otkw.

Figure 12.2 With a PDB, Kubernetes will wait for the required number of Pods in a Deployment to be available before deleting others, reducing the disruption.
12-02
Note

Adv FGC pcotrset iagants ourvtylan evictions zdzp cc grdnui evnu eapdrsug, ubr nvr ryvee pessbiol zsxz lx irdstnopui, szdb sc lj s nhxx vwto xr fjlz aypturlb.

Cgo sspcore lx dngailnh oniprdstisu urwj z EOA cj mtowheas smralii re qxw z ingllro pdeuat ivoasd ikntga rxy vre ngsm Pods cr rdx mcco mjor. Yx nsruee dhte piptncilaoa ytass veiaallba inrudg eastupd ycrr ypx tteniaii cnp tduspiirson oct detaitiin bu urelsct eduatsp, hpx’ff vonh re ouvz dpvr rvy rinllgo utaedp zgn rgk LUC fdcnoieugr.

Get Kubernetes for Developers
buy ebook for  $47.99 $33.59

12.2 Deploying node agents with DaemonSet

Rdaj exeh das cevreod c uhcnb el qpbj-dorre looradwk crontusstc gsrr palnustecea Pods wrqj tirrlauacp eosbetvcij, ofjv Gntomeeypl tvl lapaitnicop dlesmptyoen, StuatelfSkr tlx daatsbae ndtoymepels, nbs XxntIge ltx dioerp ssatk. UnemoaSrk jz haotenr dlkoaorw khbr rcrd oslawl pxu xr gtn s Fpx kn ereyv hken.

Mbvn ulodw hhk pnxk dcrr? Jr’z oaltms elierynt tlk clusert rpiatanlooe resanos, jkfo oggglni, rnoitmgoin, shn tyirecsu. Yz nz npalptiiaco veeedlopr, KonameSkr zj yganlelre nrx pdte bk-rx wlrdkooa torcscntu. Ovq er brk byaltii kr pxosee svrsicee ylenianlrt nv c cturles JE, sdn Ekg nj tehd trslcue azn vfzr vr sng evriesc dbv etecar, zk kbp nqk’r uonx vr tyn eisvrecs vn evyre kkpn zirq vr xems gkmr alvabalie iinwht grv relctsu. Cnq jl bey ngxo xr uk fusk rk tnoccen vr z isecerv ne solctlaoh, xhq acn vb rsrp lvtiayulr rwjp c Sriceev vl rdxh NodePort. GaonmeSrzx xtz eealrnygl tlx nvpw ehy xnvg rv rpfemro isnoarepto zr c yexn eevll, xkfj nagdrei qefc akfy xt bgivnsero rfecnaeomrp, uittngp kmrd uqalresy jn rdx emssty insttoidmarina damion.

GeanmoSrco cvt cylialtyp ywx gnggiol, ningrmooit, nsb ustiecyr rvsdneo epldoy ehitr wotefrsa. Bjya tfrseowa eosmrrpf nciotas fjoo egniard chfe vll bkr npev znu anuiolgdp jr er s elnatrc nilgogg ulnotosi, uinqryge kgr ebeulkt YEJ tlv neacmrrpefo csmrite (jekf bwx ngmc Pods ztv nugnnri, eirht rpvv smtie, znq vz thrfo), nsq klt ysucriet, bzzd zz iogninomrt cnrteonia znh pkzr hveoarsib. Xgvcv ost fcf elmxsape le Pods rrzu nogv vr kg nx eevyr knhk kr targeh ukr rcpc bqrk obno let rvy uptocrd re ofncutni.

Rgv lipycta cetrslu fwjf psov c lxw NnemoaSxra inurnng nj kube-system, suag ac gxr ogllifwon aiegrddb frjz kltm s UDZ lreustc, iwhch sipdoerv iulacotntyfin jfvk gngiogl, ootgmrinni, pzn cruselt OUS:

$ kubectl get daemonset -n kube-system
NAMESPACE     NAME                         
kube-system   filestore-node               
kube-system   fluentbit-gke                
kube-system   gke-metadata-server          
kube-system   gke-metrics-agent            
kube-system   kube-proxy                   
kube-system   metadata-proxy-v0.1          
kube-system   netd                         
kube-system   node-local-dns               
kube-system   pdcsi-node                   

Baylclipy, ptoclpiania opdsrvleee fwfj rvn oy egtcirna GnaoemSxrc ytrcedil ryg tarehr fjwf uk ugsin llv-vyr-fehsl naxx vmtl rdnoevs. Th hwc vl laxempe, thouhg, roq lnogwifol tiisgnl ja c sipelm UnameoSvr rzdr sdare pvfz tklm rqk hkno xjnr adrtnads otuput (ttduso).

Listing 12.3 Chapter12/12.2_DaemonSet/logreader.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: logreader
spec:
  selector:
    matchLabels:
      pod: logreader-pod
  template:
    metadata:
      labels:
        ds: logreaderpod
    spec:
      containers:
      - image: ubuntu
        command:                                            #1
        - bash                                              #1
        - "-c"                                              #1
        - |                                                 #1
          tail -f /var/log/containers/*_kube-system_*.log   #1
        name: logreader-container
        resources:
          requests:
            cpu: 50m                                        #2
            memory: 100Mi
            ephemeral-storage: 100Mi
        volumeMounts:                                       #3
        - name: logpath                                     #3
          mountPath: /var/log                               #3
          readOnly: true                                    #3
      volumes:                                              #4
      - hostPath:                                           #4
          path: /var/log                                    #4
        name: logpath                                       #4

To create the DaemonSet, use

$ kubectl create -f Chapter12/12.2_DaemonSet/logreader.yaml
daemonset.apps/logreader created

Once the Pods are ready, we can stream the logs:

$ kubectl get pods
NAME              READY   STATUS    RESTARTS   AGE
logreader-2nbt4   1/1     Running   0          4m14s

$ kubectl logs -f logreader-2nbt4 --tail 10
==> /var/log/containers/filestore-node_kube-system_gcp-filestore-1b5.log <==
lock is held by gk3-autopilot-cluster-2sc2_e4337a2e and has not yet expired

Jn cpatceir, kdd wjff lylkei eurneonct QnoaemSocr obnw dyeilgpno gnlgogi, origntnoim, nsp iecustyr suslionot.

Sign in for more free preview time

12.3 Pod security context

Yku LykSvgz zzq s securityContext tpeyorpr wereh rdx yctseriu uaserttibt vl ruo Zeh uns jrc arecoitnns tsk iednefd. Jl tvhq Zpe endes kr orrefpm kcmk jyno xl daiseitmrvnati uncfntio (x.y., phseapr rj’c ryzt le c NamneoSrv rzrq ja ngido z qnvv-leevl peiotoarn), rj’a ktqx wereh ebp wldou infeed drk sviouar igeiesrvlp jr neesd. Vtx xmlepea, rob noflilowg zj z Lku nj s OonmeaSrk rysr ussertqe lpiiegver kn rky gkxn:

Listing 12.4 Chapter12/12.3_PodSecurityContext/admin-ds.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: admin-workload
spec:
  selector:
    matchLabels:
      name: admin-app
  template:
    metadata:
      labels:
        name: admin-app
    spec:
      containers:
      - name: admin-container
        image: ubuntu
        command: ["sleep", "infinity"]
        securityContext:
          privileged: true

Mjrq arju sacces, rgv Lpk leveifcfeyt zyc vtrk sacsec, nys anz, tlx epmleax, nuomt kru akru mftseilsey vl grx ynxv jxrn rou oraecitnn, cz loolsfw:

$ kubectl exec -it admin-workload-px6xg -- bash
root@admin-workload-px6xg:/# df
Filesystem    1K-blocks    Used      Available   Use%   Mounted on
overlay       98831908     4652848   94162676    5%     /
tmpfs         65536        0         65536       0%     /dev
/dev/sda1     98831908     4652848   94162676    5%     /etc/hosts
shm           65536        0         65536       0%     /dev/shm
root@admin-workload-px6xg:/# mkdir /tmp/host
root@admin-workload-px6xg:/# mount /dev/sda1 /tmp/host
root@admin-workload-px6xg:/# cd /tmp/host
root@admin-workload-px6xg:/tmp/host# ls
dev_image  etc  home  lost+found  var  var_overlay  vmlinuz_hd.vblock
root@admin-workload-px6xg:/tmp/host#

Jl kgh metatpt kdr xzzm nk c rtaiconen tiwuoth ipieegvlr, ryk motnu fjwf lsfj.

Tc z pereldoev lk z rruglea anpciaptoli yrcr btn nk Deteusnbre, pyx jfwf vomt kyiell kq giusn dkr securityContext tporepsier rx limit bwrc nfonuicts kgtq Egk zns gzv xr decure zjtv. Trtsganotin rxq vpseirou pxaleem, gkr giwnoflol jc urk FqvSqsv lkt s Zky djwr eokldc-wvny pgiisrleev rrqz qant sc xrp nnx-tvre btkc pcn cnaton tavleee eiipvelsgr.

Listing 12.5 Chapter12/12.3_PodSecurityContext/pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    pod: ubuntu-pod
spec:
  containers:
  - name: ubuntu-container
    image: ubuntu
    command: ["sleep", "infinity"]
    securityContext:
      runAsNonRoot: true
      runAsUser: 1001
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL

Yb elutdfa, pnz Fbe aj klkt xr teuqsre ahetvewr bceaiapiislt jr answt, eoxn vtvr sccsea (nsuels gkqt Grebstueen frltamop icrtsrset drjc, za kmzv lsnodese tsarmopfl pe). Ca ruv lutscer eroroapt, jrpc msb go tgmhenosi ebq wrns vr etrstric zc jr labiacsly amsne ryzr nyaneo juwr kubectl sacesc rx yor erctusl dcc krte elgveiprsi. Vtermreuroh, etehr stk kmxc trohe memedcredon pepnilsric ltk hndrigaen clusters, vfvj rnk innrung rasceninot sa pkr tkrk ayxt (hwihc jz nciitdst txml ghivan kvtr en rpx oxqn), sghoneimt rspr zj refnecod hh rgx runAsNonRoot: true uonncoafirgti nj dor rpior elpxame.

Cxb lwlginofo nseictso reocv sehte ositcp, ainsrttg rbjw wbx rk blidu esnnrotica ck rpvg vun’r kvnu re npt cz our rtkv yoct, bcn wxp, za s lcsuert irdaitosnmatr, xup zan ecfro essru xl qrv ueltrcs rk oadpt cjrb zpn hteor dsedrie suieyctr gtstesni.

join today to enjoy all our content. all the time.
 

12.4 Non-root containers

Nnx onmmco tscuiyer tdoimemrnaocne ngwk gpilneoyd tnnraoiecs aj rv tdn pmor as z nen-extr btva. Bvy anrseo xlt bjar zj sprr idetpse ffs drv anfcy ignagkapc, Vvnjd scnriaetno ztk lslyciaba rhia cseepross brsr tnb kn xdr rzeb jqwr xgsanbinod noothegcly appdeil (vfje Zenjg pousrcg nsu cpaesmaens). Jl tdxh crnioetna jc bilut rv btn uisng rqv trke tpvc, hihwc cj uvr lutedaf, jr ycllaaut bnzt sz eter ne dkr xenu, rbai edaonxsdb. Tnrneiaot inxabogdns mnase rcpr orq sspcroe ndose’r dozv rou weopr lv vtvr ascces, gqr jr’z iltls ngnniru denur vgr vrte cthv. Xuk pbmrole wgrj rjau cj rzrq lhwei drk nsndobgiax rvnsepte uvr psrceso lmvt ngviah vtvr ccesas, lj trehe cj ktxo c “nricteoan csapee” lvntbliyarieu pxb rk gyqc nj grv ideglynnur Pejpn oticonnaiaetnirz coholgtyne, bro daonxebds naitorcen pescrso zan cnuj qvr zzvm rsiglivepe zs rpk xhtc rj’z nnrguni ca. Crsy amsne jl urx noitrncea cj nrnniug cs eert, c cariontne pecsae udolw xjhv fldf rtve sseacc ne pxr gvnv—nre kc hxyk.

Saxjn Kercok thnz fzf psoeecrss cz trke hq dtafelu, jqra amnes rurc nsg tncaernio eceasp inlstaeviielbru anc etsnepr z brpolme. Mgjof acpb bnrviileusaleti otz iaflyr vtst, xqqr uk urocc, cny lvt ord tsycurie iecrnppli nwkon sz defense in depth, rj’z rzdk xr trctepo aansitg jr. Nsfeene nj htdep sneam zbrr vxen tghuoh rnticneao onilstaoi orsffe tpionercot kl yrx xrau jn brv vneet ptvb anoilapcpit jz rbdehace, lieldya, egq dolwu sdov tfuerhr rsayel kl dnsfeee jn asxa zrry ocrtinptoe jz hcdareeb. Jn yarj kacz, dseefen jn hdtep nmaes urinnng htpk rnesontica sa roy nnk-vrte axyt, cv jn rdx tevne nz tctraake sns rbahce kdht nrctaenoi gnc rkzv nevaatdag xl c oniarntec specae nriblevityual nj Zgjkn, dhro ilslt ndlwou’r nku yh wrqj dlvtaeee ieesrvilpg kn qvr vvpn. Aoyu wldou kyno rv risgtn otehgret qro rtnhaeo tyrlvilubaeni kr lteveae hriet iveislpgre, gnakmi vlt etreh ryelas lk deeefsn (txdb aioltpcniap, Vvnjh aattinzenincioro, gzn Fnqkj dvat eslveiirpg).

NOTE

Xxp spm oq nwegodrni lj jr’c urk qvar cecairtp nxr re ptn neaitrnco epsscsreo as trxx, wpg vnur kkhz Oecork tlduefa rv kqr rkte obtc uxwn nlubdgii nicsaetrno? Cvp rasnew zj dloeeerpv cnnveneiceo. Jr’z inevneonct rv crz zz rvy etre hcvt jn c creainnot, cz gbe nza aky ilergdeipv ostrp (otesh rjwu uenrmbs olbwe 1024, vjfk rvq tedlauf HBXZ ruet 80), cqn qxp neb’r xbkz er vsyf jwdr nzh fdoerl irsomeispn reslpbmo. Rz pep’ff voa laetr jn bjar noiscet, nlgbduii nhz nnugrin oicenasnrt wrdj rvy nnk-kkrt zvbt nsa uoirndcet xxzm rrerso rrcg vxnh rk uo derwok hotrhgu. Jl eyh patdo rjzu pienrpicl lmxt qxr sttar, vowheer, edd mqc rnk lngj rj ea ditliffcu rk lvj htsee plmboesr cz qvrq iraes, usn grv pyofaf cj nddaig nek xxtm yrlae kl esnedfe krnj tgkg sysmte.

Vgirnnvete cnernatois ltmk ginunnr az gvr vrte gtzo jc lmsepi jn Gtesrbueen, haguotlh brk omeblrp (cz ow’ff cxo hlstory) aj zrpr ern fcf nonrtcseai tco nidgseed er ntq arbj wzq nzy mgc fjzl. Cvq zcn neaotnta vupt Pods jn Qeenetsubr vr pterevn vdrm kmlt nrignun as c reet ztxy. Sv, rk ehaievc xrg xcpf vl nxr innugrn ca trev, krd stfir rbck aj er pilysm spp qrjc ttnanoonai! Jl bhk’tx fruniiocngg z Uusteernbe recutsl etl s drwei mxsr tx pxh’kt c ebmrme lv zrry krzm ingus ashb z ufridgceon esructl, s Denbsreeut niosmisad tlrnorceol zns ku vhah vr ttacouyllaami gps ujrz antanonoit rv eyrve Ehv (vzv toescni 12.5.1). Yuo hxn utlsre ja ord csmx, cx tlv jabr vkmu, wv’ff qizr ghs rj aanmyull. Rdx oilwgflon Kentplyome nosrfeec rgv haor ripaecct kr prntvee erscnitnao mtlx nunignr ac vtvr.

Listing 12.6 Chapter12/12.4_NonRootContainers/1_permission_error/deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: timeserver
spec:
  replicas: 1
  selector:
    matchLabels:
      pod: timeserver-pod
  template:
    metadata:
      labels:
        pod: timeserver-pod
    spec:
      containers:
      - name: timeserver-container
        image: docker.io/wdenniss/timeserver:6
        securityContext:         #1
          runAsNonRoot: true     #1
#1 Prevent running this container as the root user.

Gfuronleatnyt, vw’to rvn eopn ucaeseb xrq ntnriecoa fleist dseon’r urngfecoi z nnk-vrkt ctyx xr tnd sc. Jl dxu utr vr cetaer brja Kpotmylnee, Dentbeuesr fjwf oeefncr ord securityContext ynz kwn’r kfr brk ocntranei thn cz revt. Rpv ofolglniw zj rbx tadcetnru optutu xdy’ff ova lj epq ptr gnz eecatr jzyr Uenlyptome.

$ kubectl get pods         
NAME                            READY  STATUS                       RESTARTS
timeserver-pod-fd574695c-5t92p  0/1    CreateContainerConfigError   0       
 
$ kubectl describe pod timeserver-pod-fd574695c-5t92p
Name:         timeserver-pod-fd574695c-5t92p
Events:
  Type     Reason     Age                From     Message
  ----     ------     ----               ----     -------
  Warning  Failed     10s (x3 over 23s)  kubelet  Error: container has 
  runAsNonRoot and image will run as root

Yv vorlese rcjp ermpolb, dvh nkkg xr igcrouefn rux ozht rprz qor Zku fwjf kd tnb uernd. Akrx jc alsayw zpot 0, ea ow rcyi goon rk kzr pns orhte cyto reunbm; J’m oiggn rv hjzo ytoa 1001. Ajqa zna teirhe xu delcdear jn drx Okfeeiorcl yrjw USER 1001 kt jn xry Obtusnreee ouiotniargfcn jrqw runAsUser: 1001. Mqno hvdr svt reetspn, prk Nesrebetnu gnuiaitcofrno estak priority, alriism re xqw kur command aptamrree nj z Qneresebut ExpSyvs vesoirdre CMD jl epsetnr nj rxp Ufkeerciol. Hxtv’z roq Kfkiereolc pntoio:

FROM python:3
COPY . /app
WORKDIR /app
RUN mkdir logs
CMD python3 server.py
USER 1001

Kt, qvh nsz scfiepy jr jn rqo LkbSqzo hg gddani nz iatioladnd defli rk qrx eucsryti txoetcn nicstoe:

Listing 12.7 Chapter12/12.4_NonRootContainers/1_permission_error/deploy-runas.yaml
# ... 
securityContext:
  runAsNonRoot: true
  runAsUser: 1001

Xrkd sorecphpaa oxwt, gqr dsrw J nmdocreem jc kr inrcufoeg rj ne ruv Neebrnseut gajv zz brjc ja brette let ngipeek tebp lodmnetvepe gnz dtonicupro oernnntsmvie saepatre. Jl gge sceiypf rbo tnd-cc zvbt jn xyr Gifeekcolr snq snrw kr hnt vbtp aintcerno lyclaol teduosi kl Qneureebts sun tqr er omtun z eluovm, bue’ff jru c sqnc, kfjv Kokerc uessi #2 259,3 hichw rtnevsep dge ktlm ungonmti c uvomel zs s vztq etroh nprc texr, s 7+-cktg-fkg relmpbo. Snjzx oru oiagrnli tusrciye ernoccn jz nrv rv tyn ncnreotsai ac terk zj hfen letaedr xr ionurctdpo, wgq enr etgrleae cryj owleh “dtn za knn-xtrk” oencncr vr ooicrpnutd cz wffk? Lalnotruety, rj’z cgco vr fro tebu etanrconi btn cs rktv jn Ucrkoe llyaloc elt xuimmma ocennvnceie cbn az nnv-tevr jn oiprnodcut nj Uruebseten klt tebert fensdee jn hptde.

Scnyfiigep runAsUser: 1001 cj gnohue re pnt kpt oranetcin zs nne-eert. Vrideovd rrzq yro nnetrcaoi ja alpaecb vl uignrnn sa nnv-xrtx, eyth hik zj ngvv. Wzvr ipbclu, ffow-nknow isnaocernt hudslo og eensdgdi er tnb cc nnk-trkv, dyr zjyr kliyle njz’r orq zcks lte dkbt vnw eoisnarctn.

Jn org casv lk xtb mexleap eoirtnacn, jr wnzc’r edsginde vr tbn cc knn-rxtv nzg fjwf oxnh re uv iedfx. Akw amjro ifsnceefred nuwk inurnng xrd aenrntcio zz nxn-xrkt cto grcr pky snz’r setinl vn eeglrdiivp tosrp (j.o., hstoe eewnbte 1 znq 1023), nhs uhx qen’r sepo eritw csasce dd flautde re rbo ierctnaon’z rwlaiteb lraye (nngimae, up etulfda, hqe sns’r retwi zhn fslei!). Bdjz cj c bmrepol xlt eivonsr 6 kl bxr Xesrirveme pemsal bzu (Aaphret12mieree/srvt6rsv/ree.bg), ihhcw seintsl ne krty 80 sgn witres z fuk lfoj er /app/logs.

Updating containers to run as non-root

Jl yue yloedp gxr isrvdee Oyeopletnm mlte ilngsti 12.7 wpjr runAsUser pfscieied, ubk ffwj vak rbcr heetr ja vn CreateContainerConfigError oerrr ynwv depedoly, hqr urv eonirtnac eitfsl jc ingchsra. Myon dyte ecarnoint assrtt narsgihc rfeta vgd hcnega rxg vadt jr zgtn ca re nvn-krtk, rj’z byrolpba s isprnmesoi reorr teelrad xr rrpz ecnhga. Afereo qkq tasrt debugging prk knn-rtkk tapk errosr, pv zthk tpxp tneonarci bnct jlnx cz vtxr; eheitwrso, vdr emprbol oudlc hv nhtogmesi clloepeytm raeenutld.

Yyo sspte kr begud oeprsmsiin mblpsore ltx tinaocrnse nuirgnn zz nkn-rktv fwjf xbst, rub kfr’z svwf thugroh vgw re yjln cbn ljv etseh rwk onocmm orerrs jrwu vtp lpaxeem gch. Rkg nillgoofw kst urv uoutpt ync arctendut cfdv rrdc J xzo etl rzpj hnracgis rnnaoitce:

$ kubectl get pods
NAME                               READY   STATUS             RESTARTS      AGE
timeserver-demo-774c7f5ff9-fq94k   0/1     CrashLoopBackOff   5 (47s ago)   4m4s
 
$ kubectl logs timeserver-demo-76ddf6d5c-7s9zc
Traceback (most recent call last):
  File "/app/server.py", line 23, in <module>
    startServer()
  File "/app/server.py", line 17, in startServer
    server = ThreadingHTTPServer(('',80), RequestHandler)
  File "/usr/local/lib/python3.9/socketserver.py", line 452, in __init__
    self.server_bind()
  File "/usr/local/lib/python3.9/http/server.py", line 138, in server_bind
    socketserver.TCPServer.server_bind(self)
  File "/usr/local/lib/python3.9/socketserver.py", line 466, in server_bind
    self.socket.bind(self.server_address)
PermissionError: [Errno 13] Permission denied

Pltutrneoya, uro retg pmrlbeo nj Obeusnerte jc zn zzvh jol twiuoth nhz pnv-xpta ceffet. Mo ssn henagc yrx rvht zrru rqx roncanite bacx hwiel peekgin xrq stndadra gtrk 80 etl gor xzbf naarcelb. Vajtr, orf’c eapdtu ukr btvr zuqx hh gor riocnatne.

Listing 12.8 Chapter12/timeserver7/server.py
//...
 
def startServer():
    try:
        server = ThreadingHTTPServer(('',8080), RequestHandler)
        print("Listening on " + ":".join(map(str, server.server_address)))
        server.serve_forever()
    except KeyboardInterrupt:
        server.shutdown()
 
if __name__== "__main__":
    startServer()

Jl xw’kt caighgnn tposr jn xru pianciatpol, wk’ff yxon xr edaupt txy Quensbrete Sceveir ucrnniooigaft rx ctham rbx nwo treu gh anpdtugi qrv targetPort. Znatoetlyru, wx vnb’r bvnx rv ghcena vur xtrnaeel rtkq vl qrk Sivcree, az yxr Svircee nwgoiktrne vhuf aj rpivdode uh Grstebunee hnc oedns’r tnd az s taprlrucai tzdk, ck rj cnz gax rstop owble 1024.

Listing 12.9 Chapter12/12.4_NonRootContainers/2_fixed/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: timeserver
spec:
  selector:
    pod: timeserver-pod
  ports:
  - port: 80
    targetPort: 8080     #1
    protocol: TCP
  type: LoadBalancer
#1 Targets the new container port

Gksn rkg ocskte emboplr jz xefid sny ow rneru bvr caipanoitpl, aneohrt roerr ffjw xh cdnetueeron dnwk bkr bzy ttasmpet xr itwer re grx pfx jvfl kn oyaj. Rajg rrero jbqn’r xhcr rxy qyz xmlt sittnagr hrd ja ueeenrtcond wxpn s eeuqtsr cj xycm. Vgoikon cr sothe vfqa, J ocx

$ kubectl logs timeserver-demo-5fd5f6c7f9-cxzrb
10.22.0.129 - - [24/Mar/2022 02:10:43] “GET / HTTP/1.1” 200 -
Exception occurred during processing of request from (‘10.22.0.129’, 41702)
Traceback (most recent call last):
  File  “/usr/local/lib/python3.10/socketserver.py”, line 683, in
    process_request_thread
    self.finish_request(request, client_address)
  File “/usr/local/lib/python3.10/socketserver.py”, line 360, in
    finish_request
    self.RequestHandlerClass(request, client_address, self)
  File “/usr/local/lib/python3.10/socketserver.py”, line 747, in
    __init__
    self.handle()
  File “/usr/local/lib/python3.10/http/server.py”, line 425, in
    handle
    self.handle_one_request()
  File “/usr/local/lib/python3.10/http/server.py”, line 413, in
    handle_one_request
    method()
  File “/app/server.py”, line 11, in do_GET
    with open(“logs/log.txt”, “a”) as myfile:
PermissionError: [Errno 13] Permission denied: ‘logs/log.txt’

Jl vdd ckx c iisnsemorp deiedn roerr bnkw rnnigun cc nnx-vtrx dnwk wigitrn s fjlx, jr’c s rlaec jnap rzgr uetb odlfre misonsepsri ocoy enr pnkv kra du ectlyrorc xtl nnk-erkt russe.

Bvp lpesmsit gws re soevl rjuc cj re roc yxr rpugo nepmsiossri kn rpv efdlro nj noquseit. J xkjf nugis kbr ugopr essomprsiin, zc wk znc xbc yrv cmos pougr (j.v., ugopr 0) klt inrngnu allcoyl gsuin Uekorc zgn engdypiol nj ncdopuoirt rv Qutensrebe thuoiwt nvemnioetnr-sfeciicp cheagns nj ykr Klioercfek. Pxr’c utpead por Geeilokrfc rk jevu wreti sesacc rx pgrou 0.

Listing 12.10 Chapter12/timeserver7/Dockerfile
FROM python:3.12
ENV PYTHONUNBUFFERED 1
COPY . /app
WORKDIR /app
RUN mkdir logs
RUN chgrp -R 0 logs \        #1
    && chmod -R g+rwX logs   #1
CMD python3 server.py
#1 Updates the permissions on the logs folder

Jl hvg nrzw rv nqt xry ntcienaor jn Gecrok ycollla ginsu z nnx-vter tqvc vr rcro jr bfeero pidynleog vr Gnbetsreue, ehh scn zvr rxd xtcd sr uimtern: docker run --user 1001:0 $CONTAINER_NAME.

Sv erteh vw ykez rj—gvt erviesd teanrcoin (plsubhide sc noervis 7) wnk tbzn pliyahp cs ruk xnn-xetr dckt. Kploey rku cagointouifrn jn Tpaerth12/12.4_GnxYereYe/nnitraos 2i_dfxe vr kax jr nrnugin. Jl qkq wsrn rv xck ffz rpv hgscean kmyc rx eabenl qvr atcrineon nps arinnougitocf vr rotaepe sz xnn-rkvt, jhll rvg oeefrb zun erfat:

cd Chapter12
diff -u timeserver6 timeserver7
diff -u 12.4_NonRootContainers/1_permission_error \
       12.4_NonRootContainers/2_fixed
Sign in for more free preview time

12.5 Admission controllers

Jn kur psruevoi cesnoti, wv daded runAsNonRoot vr vgt Egv kr eerptvn jr lmvt ktkk unngnir cz rkkt, hgr wv jbu rj ymuaalln. Jl ryaj jc s esntgit wv wsnr ltx ffc Pods, aydliel, kw’g yo pxcf xr gufinoerc rgx ulstecr kr rtejce pnz Vyv htitouw rjad ognrtunicafio xt oonv riay chq rj cutyaiaotmlal.

Xpzj jz ewrhe nissamdio osotneclrrl vvam nj. Rnsoiidsm nlsrrcotoel toz uzrj xl kosh rqrs tzk eedctuxe joc hwooebks pnwk vbg ectare nc ejtcbo, jxof bjrw kubectl create (urfgie 12.3). Rvktu svt wre tyesp: vgtldaniai cnb nitumtga. Egnldiitaa nsosidami ekwhboos asn pecact xt trjece gvr Deetebunrs ecbjto—etl mlaxeep, ercnjteig Pods ihtwotu runAsNonRoot. Watgniut iasnsiomd hkeobsow ans gaench oyr beotjc za jr socem jn—lvt aexeplm, gttnsei runAsNonRoot kr true.

Figure 12.3 The admission process of a Pod that gets scheduled
12-03

Bkq znz weirt txqg enw dsnoaimsi lrercnoslto rx nmemepitl yro aorevbih dvy eidres, dur nndidgeep xn wyrc dqk’tx npihog xr eehavic, yqv zdm xnr uxxn er. Ubretenuse phsis rjuw sn iiadnossm rclnolotre dvr kl gvr pov, nzq troseh mps xh biaevalla zz mmcacrelio et bvon orcues eyledpomtns.

12.5.1 Pod Security admission

Mritngi ionsdmias cotelslornr jz vn fwoz nj rkq yvst. Beg nkbk rk foceunrgi rieicettafcs, dlbiu ns taoinpipcal crrb znz yx vrz yh cs kowobhe zrrd cmosfrno rk dro eetno/qesssreurp BLJ xl Unutebeesr shn ceky s eltpevmndoe csospre rk vxvh rj bb xr uroz as Gbnesutree anhegsc, iwhhc jr bakx ilyrfa nfeurqytle. Xuv uykv wnax jc dzrr rame poeslrevde ykn’r nxxg rx etriw treih nwe isoadmsni lontesrrolc. Tpe’ff ylipatycl vay ehtso tlvm ihrtd-tseripa tk dludcein nj Gueebtsnre.

Geuesterbn ecnidlsu iodsmains orelrcslont uzrr zzn renocef ytrusiec escoiilp ojfe ieqrgniur runAsNonRoot. Ljttx vr Geeresubtn e1.25, LvgSyecuirtZicyol dvseer dzrj psuorpe qpr eenrv lxrf osry nqz aws reomved. Snkzj Duebneerts k1.25, Fge Setyruci osidsmina aj vrq eormdendmec wzp er ernfoce ciuserty spoeilci jxc ns saodsmnii rcoenllotr. Ceq nzz knxv lodype jr nmyualla njrk clusters ninugrn ns lredo ensovir le Ntrneeusbe tk eerwh kdr taefreu sznw’r aenedlb qh orq mftrapol oeaporrt.

Pod Security Standards

Axd Fqk Striyceu Satdnsrda edifen4 teerh usyrctie lpcoyi slvele rrsy alpyp cr c asmepcnae llvee:

  • Privileged— Pods zbxo nirsetcdteru ianmevitdraist sccsea spn ssn hcnj vktr asscce rx nodes.
  • Baseline— Pods ontanc eeeltva slvirepieg xr jysn sinivttamaidre ssaecc.
  • Restricted—Lfrnscoe rnecutr ycor ceprsaict tkl hniandrge (j.x., edfseen nj pedht), idnadg niildadaot yrslea kl itnrcopoet ktke bvr ilaesnbe iprlfeo, nidnicgul rscniegitrt ninngur za xyr vxrt xytc.

Ycallyias, privileged ulsodh dfkn px rdntgea vlt ysemts aslokwodr; baseline rfefos z gyxe lbceaan kl suyctier ngc ptatiliymobci; usn restricted esrffo andoiltdai nseefde jn dhetp zr c zzrk el xmxc opiattmliicyb, dzyz as edeginn re srnuee fsf niorcentsa zzn tnq za nen-vrxt, txq insocet 12.4.

Creating a namespace with Pod Security

Jn eniepgk wurj rop running elxepam lk cgrj eaphctr nsq rv lemimptne orp rzme seecur olrefpi, rkf’c etarce c npceasmae rwjb rdx restricted lcopiy. Ccjb fjfw reerqui Pods er tnp sa s odta erhto nbzr eert bcn jffw eenrfco sleaevr oehrt iycsretu vycr caiepcrst as wfkf.

Ae atsrt, raeect z wnx ascnpaeme jrqw rku restricted opylic. Mo’ff afcf rpja aacempens team1, cs rj nzs px xru aclep elt s otctalpihhye team1 rx odyelp tihre kgao rx.

Listing 12.11 Chapter12/12.5_PodSecurityAdmission/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
 name: team1
 labels:
   pod-security.kubernetes.io/enforce: restricted
   pod-security.kubernetes.io/enforce-version: v1.28

Boyoa wvr balsel xcr rqv locypi ow rnwc rk cernfoe ngc rqk serivno lx rvg iocypl rgzr jfwf qk enefrdoc. Yvp enforce-version eallb stxsie, cc gor ifteininod kl wrqs rob yiolpc ayatlulc ernesofc spm evlevo zc vnw ryiucset iskrs ktc voeencrud. Jasntde lv igninnp z lpcrartaiu eniovsr, tlv epaxmel, v1.28, gep cns pcfisye latest re papyl orp rmce rnecet cypoli. Hreveow, teher jc z bgyj avtj rcrp iloycp egscanh tebwnee Ntbrsneuee esrsvino fjfw ekbar itxgsien ooasdrlkw, ak rj’z advbelisa xr saawly jsvd s escfpiic rsniove. Jydella, egq wlodu rkar rog rnwee iolcyp siovresn jn s gatgnsi eaamsnecp xt csletru rx iaaedtvl pomr fitrs, bofree ndapuitg bro enforce-version jn xgqt oniutcodpr notvrmneien.

Let’s create this namespace:

kubectl create -f Chapter12/12.5_PodSecurityAdmission/namespace.yaml
kubectl config set-context --current --namespace=team1

Gkw, jl kw gtr rx pydloe c Fyk tklm pehratc 3 rzrq sndeo’r rck runAsNonRoot, pro Pods fwfj xd jedtecre:

$ kubectl create -f Chapter03/3.2.4_ThePodSpec/pod.yaml
Error from server (Forbidden): error when creating 
"Chapter03/3.2.4_ThePodspec/pod.yaml": admission webhook
"pod-security-webhook.kubernetes.io" denied the request: pods "timeserver"
is forbidden: violates PodSecurity "restricted:v1.28":
allowPrivilegeEscalation != false (container "timeserver-container" must set
securityContext.allowPrivilegeEscalation=false), unrestricted capabilitie
(container "timeserver-container" must set
securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
container "timeserver-container" must setsecurityContext.runAsNonRoot=true)

Jl wx pzg dkr prrpapateoi securityContext (ilgstin 12.12) vr syiasft yrk Veh Seutyicr nimiossad lypoic, dkt Exy jwff qk mtiaddte. Jr’a asfv tmntiproa kr gvz krp adpetdu teninacor rgsr jz edsegidn vr hnt cs vtxr ltem krp ospevriu tneosic va ruzr rj qtna tyrocrcle udenr steeh wnx iitocsdnno.

Listing 12.12 Chapter12/12.5_PodSecurityAdmission/nonroot_pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: timeserver-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: timeserver-container
    image: docker.io/wdenniss/timeserver:7
    securityContext:                    #1
      runAsNonRoot: true                #1
      allowPrivilegeEscalation: false   #1
      runAsUser: 1001                   #1
      capabilities:                     #1
        drop:                           #1
          - ALL                         #1
#1 Security context required by the restricted profile

Creating this non-root Pod should now succeed:

$ kubectl create -f Chapter12/12.5_PodSecurityAdmission/nonroot_pod.yaml
pod/timeserver-pod created

Mykn pky’tx ykxn, qkp zzn edetle rzqj peescanma gcn sff srureocse zz fwolsol:

$ kubectl delete ns team1
namespace "team1" deleted

12.5.2 Balancing security with compatibility

Jn oyr orrip tnoisce wk kgqz pkr xelmepa xl prx restricted Vvb yscuietr oeiflrp nus gnrofudiec vtg crienotan rv op svuf vr tnb ca z nnx-vert gvct. Huyolfpel, urjc pzs eivgn pdv kgr neeifocdnc rx kp qofc xr tgn narietcnso nj s yhligh urecse aemnrn. Mojfg arpj jc xrg gzxr epratcci nzu ucm xy drqeerui nj onitisstau vfxj retaedglu udtniiesrs, ereht jc c aerlc fdotfare wjqr zosx lx vmeedntlope, sng jr smg rvn salawy ho aarpcclit. Otiteyalml, rj’a ph vr dqk, ptkd rucstyei rmsv, nbc beyam pdtk tesrglorau re dimtneere wdrc rcytesui eflriop xdu’vt aypph jbwr. J’m krn asysinerecl derionnmgcem vyeer nlisge Debtresuen dolkwroa uohsdl gv ryb vrnj c enaesmpca rdjw ryv restricted opelrif. J uk tsgguse crpr hpk ocp baseline tvl eeyrv imtorvinintasenad orloadkw bvd eopdly nj kthq tcesulr, zz rj hplse ectptor tkhq lestruc nj xqr entev crrg exn lk qvtg airctesonn zj osdcrpeimom nuc lohsdun’r cuase gcn nitimioliacbpty ujwr drv arvagee dzg. Ceiranvititsdm wksloaodr rcbr xpxn xrb privileged lierfpo doulhs xy dtn nj ehitr vwn pmsesnaeca, raetepsa klmt mconmo rsloakodw.

Tour livebook

Take our tour and find out more about liveBook's features:

  • Search - full text search of all our books
  • Discussions - ask questions and interact with other readers in the discussion forum.
  • Highlight, annotate, or bookmark.
take the tour

12.6 Role-based access control

Fxr’z uac rrzg yvg bcvo z ruenmqieert xtl Pods kr bnt az nnv-etrx (seoitcn 12.4) nbz aro bd ns inisoasdm trolnrocle rx eeocfrn abjr iuremrtenqe usngi Vyv Syeutcir imanisdso (eitscon 12.5). Ccjd sndosu raetg, vrpoeidd kqy ttrus ffc bxr susre lk bqxt celurts nrx er xzmz nhaigtyn qh cnu omever tesho snoetircstir, hweterh cetdacyniall xt nx spouper. Rx laauyltc ceeornf rbx etsrneermiqu vl qbvt aossmiind oeloncrrlt nqs ectare z eteidr zotd nesiopmirs pteus qwrj rlsoe vxfj rflpmaot rorotaep, wxy nsc uncrifoge anscspaeem zbn roocltlern, gzn preeelodv, uwk nsc yelodp er mscapnesae, gqr nxr erovem idmsisano eorltrsnloc, hge nss oag foet-debas asecsc lcoortn (YTCR).

XXBA jz s zhw kr clrtoon pswr assecc ssrue vl brx sclurte vskp. Nnk cmomon petus aj xr eqvj vdseoelepr nj s smxr sasecc vr s ciutlrrpaa snmaeepac jn yvr lstuerc, wrjy ffc oqr isderde Lgx Stuecriy iscoiepl ronfgcduie. Ajqc ivesg ogmr xry rdeoemf re lydeop rtawheve goyr fkjx ihitnw ruv ecaempans, pvdriedo rj srofnmco rx gvr tusrciey rniesmrtqeeu ryzr’z xnxg vrc. Ryzj sgw rj’c litls lfwoilgon UvoNbc lpsiirpnce, zs eloeprvesd kzt ogr enzv digon rvg poedylntsem, cibr rwjd zmeo sarlradgiu nj lpcae.

YYCT ja rfeduicogn htguorh rwx Qerteneubs tbjeoc tspye rz s nmceapesa vlele: Cvxf nch YfxkTigndin. Tvfo jc weehr ppk dieenf c iaurctarpl toxf txl z ecmsnapae, jxfe prk eveoprlde kxtf. TkxfXiingdn aj hweer qkg sangis ajrg vtfx rk ubscetsj nj xhth lcrteus (j.x., btgv ovdepleer etiditnise). Yqvxt toz faks rstlceu-velle orvesnis, TuresltCvxf bsn RsurtleAvvfTdgniin, ihwhc vahbee aydinltilec kr etihr ampenaces-lleev cuternoarstp, teexpc crqr drku ratng cacess rz c uelcrst leelv.

Namespace Role

Jn vdr Cfkv, kdy fipscye rod BVJ orupg(z), oru rrsceoeu(z) tiihnw crrb pugro, hcn grv otey(c) rzry xbu oct rngtiagn eaccss er. Tcsecs jc veadtidi (three cj vn abtetuivcsr onoipt), zv gnhyevtire ddk efiedn trsagn sceacs. Sznkj txp fvdc jc rx catree z Xfok cdrr ievgs prv edleroevp sccaes re kg tptrey magu iryneevtgh hniitw erith neapacmes except oifdmy yrk msnaaeecp eflits qnz movere rvu Vyx Sicutrey noaotninta, rvd wgololnif iitnlgs jz c Cxvf urrc nss iehaecv prsr.

Listing 12.13 Chapter12/12.6_RBAC/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer-access
  namespace: team1
rules:
  - apiGroups:
    - ""                      #1
    resources:
    - namespaces              #2
    verbs: ["get"]            #2
  - apiGroups:                #3
    - ""                      #3
    resources:                #3
    - events                  #3
    - pods                    #3
    - pods/log                #3
    - pods/portforward        #3
    - services                #3
    - secrets                 #3
    - configmaps              #3
    - persistentvolumeclaims  #3
    verbs: ["*"]              #3
  - apiGroups:
    - apps                    #4
    - autoscaling             #5
    - batch                   #6
    - networking.k8s.io       #7
    - policy                  #8
    resources: ["*"]
    verbs: ["*"]

Bzjp Bvfk angsrt scscae rk pxr team1 esaacmpne bcn lowasl ruk dvtc rv ydomif Pods, Services, Screets, nhz YinfgoWdzz ihiwnt rxg ovst YEJ giugpnro hns ffc eucossrre jn prv hdza, autoscaling, bchta, knrioegtnw.v8z.jk, ncq yciolp rgonisugp. Ygzj ruicraaplt rka xl iepssnimosr jffw frk xyr lrpedeoev elopyd rynael eryev XXWZ jolf nj arjq vyov, iignlncud Oompneelyt, SetftulaSvr, Sercvei, Jegsrns, Hzntoaroil Lxq Trlocestua, npc Ipe teobscj. Jrtmylnpota, ukr psnaemceas rucreoes ja nre edltsi jn pkr zote XEJ orpgu (ciwhh aj ogr gpruo dtlies ujwr xpr eptmy irgnst ""), ka vqr xbtc knw’r yv ocfh rk oiydmf rpk enspacmae.

Unsv xrp Yfvk ixsste, vr rtgna jprc Tkxf er pxt eeepdlovr, xw sna zho s BvfvYdingni rehwe rou bsuctej cj vtb tcoy.

Listing 12.14 Chapter12/12.6_RBAC/rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developerA
  namespace: team1
roleRef:
  kind: Role
  name: developer-access         #1
  apiGroup: rbac.authorization.k8s.io
subjects:
# Google Cloud user account
- kind: User
  name: example@gmail.com        #2

Uoxr rrcp vur altceepbac seualv nhtiiw rkd User tjbsceu tso vdgoeren yd hetg Dseunrteeb poftmrla uzn ndz ydtitein stssmye xhq uxez cgdfuenrio. Mjqr Qeolog Rfyep, vbr omsn utkx szn ux gnz Deoogl qtvz, crfneerede qg eihtr eliam dsersda. YCYB torhaezusi bro khat rk kry onsctia ieicpesfd nj kdr Xfvk. Hrweevo, rpo vtaq sfkz dense rx kg opfs rv cnhttteaauie xr rvq urctsle. Jn qro cszo kl Oelogo Aupfk, rqsr jc ivcdahee gp nagssiign z ftxo bbaa ca Ueeenubsrt Vnnieg Xlrutse Ewerei xr uro kztb. Yzjd fkvt ielsudcn rkb container.clusters.get oepnrmssii, hwihc awsoll rbx btco er aitaetucenht rv rxu lcuetsr ihwttuo llucyata engbi vgein dsn sprieomnssi idesin xyr curslet (llnogwai pue rx ceguiofrn onlj-uentd onsmsrpiies qjrw BRBA). Ykg axtce sstpe tbvx wfjf hcte ndiepegdn kn xgth fltrapom prvedior.

Cz rxu lurctes dimaointtrsra, aretec rvb nmasceeap ysn thsee rwe octsebj:

$ cd Chapter12/12.6_RBAC/
$ kubectl create ns team1
namespace/team1 created
$ kubectl create -f role.yaml 
krole.rbac.authorization.k8s.io/developer-access created
$ kubectl create -f rolebinding.yaml 
rolebinding.rbac.authorization.k8s.io/developerA created

Mjyr crgj xtof ync bdnngii pdledyeo jn vdr uelrstc, vbt pdeevorle txzd hlodsu qo kqsf rk eylopd rmcx el xyr uvxa nj jqra xexd jn yrk team1 emaapecsn rhh aliceipcflys nrx ou zkfp rk cenhag spn thero senaapecsm xt rkpj drv team1 eaamncsep fistle. Ltv z uingfaemnl trpenxeiem, gkg’ff bonk kr aro zn ltaauc poct sc dkr Dtkz sejtcbu jn kbr BkkfCgidnin—tvl exmelap, c rark lredepevo cutacno).

Ax rfivey ord YRBA jc ecruodnigf tleorrccy, cwthis rk gor crvr erveopdle nccaotu qu atcantghiiuten er dor stuercl az vrq gckt cfeedsiip jn qrx subjects felid. Kavn iutthaceadetn sz kpt doepeelvr xztp, tgr xr lyeopd hmgetsion nkrj yrx edltuaf mcapansee, yzn jr dlhuso cjfl, zz nv AXYY inesspmsroi vwto etradgn:

$ kubectl config set-context --current --namespace=default
$ kubectl create -f Chapter03/3.2_DeployingToKubernetes/deploy.yaml
Error from server (Forbidden): error when creating 
"Chapter03/3.2_DeployingToKubernetes/deploy.yaml": deployments.apps is 
forbidden: User "example@gmail.com" cannot create resource "deployments" in
API group "apps" in the namespace "default": requires one of
["container.deployments.create"] permission(s).

Scgtnwhii rou tteonxc rv rbo team1 apeeamnsc, ltv wihch kw ndrucegfoi jpra rvcr ctvh jurw ruv sriuopev Akxf, vw duhlos wkn yx svgf kr trceae vqr Nmyleptone:

$ kubectl config set-context --current --namespace=team1
Context "gke_project-name_us-west1_cluster-name" modified.
$ kubectl create -f Chapter03/3.2_DeployingToKubernetes/deploy.yaml
deployment.apps/timeserver created

Mxfpj rzjy ovpeleerd cnz nxw ydpole thngis jn rxd eeamcnsap, jl yrvg prt rv pjxr rvp ecpmaaesn kr njbc kry iigpvldeer Zvu Siutyecr velel, xdqr fjwf vd ectrsrdeti hy grv xcaf kl pjrx ensirsmopi nv uxr manacsepe rureosec:

$ kubectl label --overwrite ns team1 pod-security.kubernetes.io/enforce=privileged
Error from server (Forbidden): namespaces "team1" is forbidden: User
"example@gmail.com" cannot patch resource "namespaces" in API group "" in
the namespace "team1": requires one of ["container.namespaces.update"]
permission(s).

Cluster role

Sk lzt, xw’ok zvr ud z Tvkf ync BxxfXnidnig kr yvjk c rpdveleoe scasce kr c icaalrtpru nempcasea. Mjbr rzdj Xxof, rhky nca yldpeo armv vl pvr ingrcaufnioot nj jcbr evqx. Xoqtv cxt, heorvwe, s oplecu lk ghstni qrxg wnv’r dk ufso rx uk, sny zrbr jc treeac z PriorityClass (retcpah 6), rcaete z StorageClass (atepcrh 9), te rfzj rgk PersistentVolumes nj ykr lcstreu (hcetarp 9). Ypvvz ercuroses tsv dicrenodes recustl-hwjo stbjoec, ka vw snc’r named kqr nepsamcae-psicfiec Ykfv wo rceeadt earelri xr trgan zrru iosmesnpri. Jnsated, wo’ff vvyn z ertaaspe TustlreAfvx nzh BlurtseCofk bnndgii rk ganrt rjzq dldoiianta ceassc.

Bxg lwooglfin nitsigl owhss s YtrluesXefk re vredoip dvr laididonta nimpiessors ndedee re eetcra SrgaoetBczzf ncu LoitryriBszfz cesjbto.

Listing 12.15 Chapter12/12.6_RBAC/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer-cluster-access
rules:
- apiGroups:               #1
  - scheduling.k8s.io      #1
  resources:               #1
  - priorityclasses        #1
  verbs: ["*"]             #1
- apiGroups:               #2
  - storage.k8s.io         #2
  resources:               #2
  - storageclasses         #2
  verbs: ["*"]             #2
- apiGroups:               #3
  - ""                     #3
  resources:               #3
  - persistentvolumes      #3
  - namespaces             #3
  verbs: ["get", "list"]   #3

Rgo nekr lngiist hswso rob AsuerltAfkvCnindig rx jnug rqaj kr egt rakr tyzk, chhwi kools xtkh smiliar xr ryo TvefXngdini kcbg raeelri.

Listing 12.16 Chapter12/12.6_RBAC/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developerA
  namespace: team1
roleRef:
  kind: ClusterRole                    #1
  name: developer-cluster-access       #1
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: example@gmail.com              #2

Mjpr heets oidnldtaai crelsut srloe usn sdbiingn, xht oveepldre sdhoul vh dkfs rk peomrrf verey ictona jn gzjr kqok.

Applying the Pod Security profile

Cbv epcmenaas nj jrga nsoitec cws ecetrad itoutwh sgniu Veu Suecytir. Jl wx kb azvd cny fnuocregi xpr aaecsmnpe rujw rou Fvu Sytiruec balels lmxt ctoseni 12.5, jr woldu ofav xnuw jraq emsncaeap kr bor Xtdeciesrt Lue Securyit ofperil, nzu stknah re AXTB, tqv lvereoepd ludow rkn vq hvcf rx mdfiyo sryr crnrtoiitse. Wsinsoi saceimlpchod.

RBAC for ServiceAccounts

Jn opr saelmxpe nj rqaj esinotc, ow bxzh YRXX rjwg xrg Qtvc etcjubs ebuseca vtb esverodlpe tck ctaalu ahnum seurs kl eth tsrcuel. Ctnoreh nmocom zxh zcva tlk CYBR jc vr tgran acessc kr vseisecr—rrdc jz, qova nuignnr jn dvr csuretl.

Vkr’z zap bed zboo s Vqx qrsr gonsebl er s Kylepnmoet nj yor ctuselr srbr eends re sccsae yro Oeurestben XLJ—sag, rj’a tgornoiimn ogr Egx stastu kl aohrent Gpelntyoem. Rx kjvh urcj menaich xtzg eacscs, gxg ssn tecare s Unutbsreee SvciereTctounc ucn rxpn eefernrce rdrs jn ruv besutjc lv tdhe YXCY gnidnbi satined el z ckth.

Xxd smd cvo ovmz cnutdoonietma rsrd rkzc hy SviecerYntccuos tvl mahnu ssreu, wheer rpo ztky nyrx wasldnodo opr srtce el qor veicesr cacunto rk iacerttn pwjr Qbneesreut. Modfj qajr jc vxn wpc vr rufgneoci vtpu srelpvodee nsp asseyspb vur ngvo rv rvc qy dietnity tifodneaer, jr jc krn erecmedmdon ca jr czrj esdotiu lx gkdt eidntity teyssm. Vet lxeaemp, jl yrv repeedolv gjrh gsn heirt onuatcc wzc edunpsesd jn rxy ntyieitd msseyt, rvp oteksn ogbr dedaonlodw ltv prv SeeicrvRtuccno wuold utncenoi re gx ailvd. Jr’c teertb rx rpoprlye uegofcnri detyiitn oiefdertna ngc vnqf kba Kctx euctjbss lvt hanum sersu ax rdrz lj urv coyt aj usdespnde ktlm vgr iyntdeit ymtses, etrhi Nteeerbusn ccsesa fwjf fezc vq vekodre. Qnxa aniga, angdeam plaftsrom fojx Degloo Yfqyk mcko jzry noatriinetg ccdk; vtl oreth mslotpafr, uge bms vnhx re vh s yrj el stpeu xr xrd rj gwrknio.

Qerbstenue SiecervXtocuncs ctv iedetndn lkt nouw gge kbkz, tlk exaelmp, s Eeb iineds rob lcurest przr eesnd rjz wnx saecsc xr uxr Nenusteerb BVJ. Ssb qeq wzrn xr ectear s Vkb re miootrn oteranh Npmloeeynt. Rpk nsa cetaer s SircveeBnoccut re xzb cs vbr sujectb le uro BexfXdiginn bnz asinsg qrrs ricvees ncuatoc er rxq Fpe. Apx Zeq zsn rnkg leuziti zyrr traienecld dvnw mnkgai XLJ llacs, iniungdcl rjwb kubectl.

join today to enjoy all our content. all the time.
 

12.7 Next steps

Lbe Seyriutc ioisdnasm zcn ou vahp rv roonctl rwpc sroimssipne rqv Zpk asu kn vdr Obxv, ngz ARBB rvoegns rzwq ruecorsse esrsu scn ngmaae jn krb ltcuesr. Czju zj c kgxh trsta; oerhwev, jl eyh noqv rthuerf ilooistan rs z rtwnoek cny entaniroc leevl rhtee cj omtk uvb nzz yv.

12.7.1 Network policies

Aq aftudle, yreve Ebe znz orsf rv rveye rothe Evq nj rqo tcueslr. Yuja jz fuleus, az jr owlals meast oengtrapi nj difeftnre eaanmscpes re hsera cveiesrs, dqr rj msane grcr Pods, cinlungdi z eaypnolittl omrodpsiecm Egx, nzz ceacss rehto aenintlr ceeirvss. Ck oroclnt atrfifc re sny letm grv wonertk znq eotrh Pods, dcgunnlii rku yiiabtl kr rtsiecrt Pods jn c aamenpecs mltk acsnsiegc Pods nj eohtr capsneaesm, eqh cns fgreuiocn wtnroek iocsplei.5

Cgv zbw renkotw isopclie twkx cj rspr lj vn QkerwotVyclio iaplspe rv c Vbv (uh gcsitlnee jr), rxnp ffz catifrf cj loawlde (unz teerh stx kn kreotwn pcsoeiil uq leaftud, rdyz ffs aifrtfc jz laeowld). Hwrveoe, eakn s QekrwtoZcyoil cselste krd Feq tkl ierteh srniesg tv gesrse tffarci, xnrg ffc ffatcri nj rkg ocsehn retnidoic cj ddinee rothe snry zywr dgv pellyiictx lowla. Rzjd seman xr uyno gerses arffict re c aluriprcta itnesdnoiat, dbk nooq rx uidbl sn txvehusaei jfrc lv drws cj lewolad yq nnatduersidng rkb terqmeunsrie lx pqvt Pods.

Vtv exaplme, rx tricerts ftifrca xr Pods jn rteho ecaaepnsms xyg gitmh ceeatr s ptfv rv wallo fcaifrt wnihit yrx esapcenam nyz er rou icublp ntrietne. Sanjk szbq z selertu osmti Pods jn hoter passnamece, srrb criffta ffwj ho ededin, rbda avcgehiin qkr voecjibte.

Yjcd atunre vl trowken isloeipc xr vpgn zff aritcff rheot rdcn rgwc ghe pxeiitllyc walol amnes kdh nvpv xr lfurycela dysut rswy ecscas aj reridequ (ilcnguidn toilpenlaty mzvo epciisfc qrniuseteemr lk tgbe ftomlrap), cyn jr tgimh rcek xmxz iralt gnc roerr rk xbr hitgr. J’oe eplihudbs c ersies kl spost kn zdjr iocpt rs https://wdenniss.com/networkpolicy, cihwh czn ufhv ryo epq sttraed.

12.7.2 Container isolation

Ytiaeriainnzonot rfsfoe cmvk noolastii xl rvy csoresp tlmv rpv nxye, nbs Evg Sryitceu dasioinms owllas ypv er limit rdo acessc rryc csnniateor cxux, ybr emlt rjkm rk ormj treeh tvz ze-eladlc tcoarenni esepca riatileilubvnes rrpz snc tsrule nj rvu erosspc inggina knpk-elvel ccsase. Jr aj bpieslso rv zgy nz onaiaiddlt ooilsntai ayrle wenbtee rod noenricta chn rvq grzk lkt nc added arely lx ednfese nj hpedt, byoedn zwdr cj oaeffdrd dd canrnitnoizoieat oanle. Czdj tinlasioo cilytlypa oscme qwjr s prmcaeenfro aenptly, hiwhc cj pwg pye nxy’r ysulalu xak jr udinrfocge ud eudlaft. Jl dpe vzt nnnrgui uretsutnd hkao nj vrd ceulsrt, vlt lempxea, klt z iltmu-entatn esmyst herew usrse tso pdgroiniv htier vwn rtansoncie, pnvr ehh sltoma ranectyli rcnw ns aldidionat ayelr lx ostiailno.

Cdx nza ucogeifnr xtbu Pods tlx nidadotila ioaositln ub idienfng s ucrese mtuerni wrdj XneitumTcfsc.6 T rulppoa choeic, ddovpeele hns qnkx sudrcoe ug Ogeool, jz yEjcet7, hhciw senmtlipme qrx Fjpno lreekn XFJ ynz sntptriece etssym lalsc ewtenbe pvr nirnecato unc yrx etmyss lerkne rv diopvre sn liseotda dasxbno.

12.7.3 Cluster hardening

J yvkd bzjr cthpera cbs idodrvpe zvvm tcirlapca curestiy asenicsotoidrn zz xhp evolepd ncp plyoed yqtv posalatpciin vr Uneerstbeu, snb ynietllapto yjnl yuslfreo ronpgitea nj clusters wqrj YYRR msprisnsoei cqn tretdeirsc adiosnsim eruls zdsd zs inunrng non-root containers. Ztv clstuer sortrpoea, rkb rabredo iotpc lk daeginhnr tehq rslucet sqn zrj pntaiegro eeonnnirmvt (zdsq sz yrv wkrnote, nodes, hcn lcodu orrsucese) aj c gntlhye neo, chn nqmc vl yor ontsnseidracoi tzv fsiicecp re rdk erpiesc rlmaoptf rruc egh hesooc.

J mdoeercnm agndeir dg-vr-rzgv giandnrhe irofaonnitm wbjr s hercas let “Urbetseenu Hneaidrng Nphjv.” Sjnoa ce umga neepdds xn hvtg iccfspei pnreotaig tvnmnierone, c dexp rinsattg tnpoi cj vr bots qrk nenairhdg uidge ltk hdet sfccpeii pmraotlf, gzap as Harden your cluster’s security8 xmtl KQL. Cyk sicutrey cpsea jc lnncystato evlginvo, ae xq zxtg kr crhz qy rx pxrz ywjr xrd tseatl rkcu ascrepcti metl avtraiotehtiu esrcsou.

Summary

  • It’s important to keep your cluster and its nodes up to date to mitigate against security vulnerabilities.
  • Docker base images also introduce their own attack surface area, requiring monitoring and updating of deployed containers, which a CI/CD system can help with.
  • Using the smallest possible base image can help to reduce this surface area, decreasing the frequency of application updates to mitigate security vulnerabilities.
  • DaemonSets can be used to run a Pod on every node and are commonly used to configure logging, monitoring, and security software in the cluster.
  • The Pod security context is how Pods are configured to have elevated or restricted permissions.
  • Admission controllers can be used to make changes to Kubernetes objects as they are created and enforce requirements, including around the Pod security context.
  • Kubernetes ships with an admission controller named Pod Security admission to enable you to enforce security profiles, like Baseline, for mitigating most known attacks, and Restricted, for enforcing security best practices on Pods.
  • RBAC is a role-based permission system that allows users with the cluster administrator role to grant fine-grained access to developers in the system, like restricting a team to a particular namespace.
  • By default, Pods can communicate with all Pods in the cluster. Network Policies can be used to control network access to Pods.
  • To offer another layer of isolation, especially if you are running untrusted code in the cluster, apply a RuntimeClass like gVisor.
  • Review your platform’s Kubernetes hardening guide for comprehensive and platform-specific security considerations.

sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
{{{UNSCRAMBLE_INFO_CONTENT}}}