Kubernetes Security | Pod Security Admission Framework

kubernetes security

security

kubernetes

container security

kubernetes security tutorial

kubernetes security context

kubernetes security interview questions

kubernetes security tools

pod security admission

kubernetes security best practices

let's learn kubernetes security

kubernetes security challenges

chef kubernetes security posture management

pod security policies

cloud security

kubernetes admission controller

different kubernetes admission controller

Автор: DevOps Virtual University

Загружено: 2024-09-24

Просмотров: 227

Описание: Pod Security Admission (PSA) framework
======================================

A pod trying to run as root user
================================
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app4
name: app4
namespace: default
spec:
containers:
name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: false
runAsUser: 0
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

Another pod trying to gain host filesystem access
=================================================
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: false
runAsUser: 0
volumeMounts:
name: host-root
mountPath: /host/root
volumes:
name: host-root
hostPath:
path: /

A pod is trying to gain container runtime access to run its own containers on host:
==================================================================================
apiVersion: v1
kind: Pod
metadata:
name: compromised-pod
spec:
containers:
name: compromised-container
image: alpine
command: ["/bin/sh", "-c", "sleep 3600"] # Simulate a long-running process
securityContext:
allowPrivilegeEscalation: true
volumeMounts:
name: docker-socket
mountPath: /var/run/containerd/containerd.sock # Mount the host's Docker socket into the container
volumes:
name: docker-socket
hostPath:
path: /var/run/containerd/containerd.sock

A pod with all securityContext requirements:
==============================================================
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app3
name: app3
namespace: dev
spec:
containers:
name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
runAsNonRoot: true
runAsUser: 102
allowPrivilegeEscalation: false
capabilities:
drop:
ALL
seccompProfile:
type: RuntimeDefault # Use default seccomp profile
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

Labels for baseline:
====================
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baseline

Labels for restricted:
=====================
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted

How to apply a label on namespace:
===================================
kubectl label namespace my-namespace pod-security.kubernetes.io/audit=baseline

kubernetes security
security
kubernetes
container security
kubernetes security tutorial
kubernetes security context
kubernetes security interview questions
kubernetes security tools
pod security admission
kubernetes security best practices
let's learn kubernetes security
kubernetes security challenges
chef kubernetes security posture management
pod security policies,cloud security
kubernetes admission controller
different kubernetes admission controller

#kubernetes #security

Не удается загрузить Youtube-плеер. Проверьте блокировку Youtube в вашей сети.
Повторяем попытку...

Kubernetes Security | Pod Security Admission Framework

Доступные форматы для скачивания:

Скачать видео

Информация по загрузке:

Скачать аудио

Похожие видео