Scribd
Upload
225 views

Lab27 - Kubernetes Pod Security Context

The document discusses setting security contexts in Kubernetes. It begins by defining security contexts and their capabilities. It then demonstrates how to [1] set the security context for a pod to run processes as a specific user and group, [2] set the security context for a container to override the pod's user, and [3] set capabilities for a container to grant specific privileges to processes. The examples show configuring settings like users, groups, capabilities and verifying their effects.

Uploaded by

Soujanyana Sanagavarapu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
225 views

Lab27 - Kubernetes Pod Security Context

The document discusses setting security contexts in Kubernetes. It begins by defining security contexts and their capabilities. It then demonstrates how to [1] set the security context for a pod to run processes as a specific user and group, [2] set the security context for a container to override the pod's user, and [3] set capabilities for a container to grant specific privileges to processes. The examples show configuring settings like users, groups, capabilities and verifying their effects.

Uploaded by

Soujanyana Sanagavarapu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Lab: Kubernetes Security Context

Introduction
A security context defines privilege and access control settings for a Pod or Container. Security
context settings include, but are not limited to:
Discretionary Access Control: Permission to access an object, like a file, is based on user ID
(UID) and group ID (GID).
Security Enhanced Linux (SELinux): Objects are assigned security labels.
Running as privileged or unprivileged.
Linux Capabilities: Give a process some privileges, but not all the privileges of the root user.
AppArmor: Use program profiles to restrict the capabilities of individual programs.
Seccomp: Filter a process's system calls.
AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent
process. This bool directly controls whether the no_new_privs flag gets set on the container
process.
readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.

Objectives:
• Set security context for a pod
• Set security context for a Container
• Set capabilities for a Container
Note: Ensure you have running cluster deployed & configured.
1. Ensure that you have logged-in as root user with password as linux on kube-master node.

1.1 Let us clone the git repository which contains manifests required for this exercise, by
executing the below command.
# git clone https://github.com/EyesOnCloud/k8s-security.git
Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.2 Let us view the manifest, by executing the below command.

# cat -n ~/k8s-security/security-context.yaml
Output:

1.3 Let us create the pod, by executing the below command.

# kubectl create -f ~/k8s-security/security-context.yaml

Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.4 Let us verify the pod is running, by executing the below command.

# kubectl get pod security-context-demo

Output:

1.5 Let us get into shell of the running Container

# kubectl exec -it security-context-demo -- sh


Output:

1.6 In the shell container, list the running process.

/ $ ps
Output:

Note: The output shows that the processes are running as user 1000, which is the value of
runAsUser:

1.7 Let us list the /data/demo inside the container, by executing the below command.

/ $ ls -ld /data/demo
Output:

Note: The output shows that the /data/demo directory has group ID 2000, which is the value of
fsGroup

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.8 Let us create a file and list the properties

/ $ echo hello > /data/demo/testfile


/ $ ls -l /data/demo/testfile

Output:

Note: The output shows that testfile has group ID 2000, which is the value of fsGroup.

1.9 Let us run the id command

/ $ id
Output:

Note: You will see that gid is 3000 which is same as runAsGroup field. If the runAsGroup was
omitted the gid would remain as 0(root) and the process will be able to interact with files that
are owned by root(0) group and that have the required group permissions for root(0) group.

1.10 Let us exit the shell.

/ $ exit

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
Set the security context for a Container
1.11 Let us view the manifest, by executing the below command.

# cat -n ~/k8s-security/security-context-2.yaml
Output:

1.12 Let us create the pod, by executing the below command.

# kubectl create -f ~/k8s-security/security-context-2.yaml

Output:

1.13 Let us verify the pod is running, by executing the below command.

# kubectl get pod security-context-demo-2

Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.14 Let us get into shell of the running Container

# kubectl exec -it security-context-demo-2 -- sh


Output:

1.15 In the shell container, list the running process.

$ ps aux
Output:

Note: The output shows that the processes are running as user 2000. This is the value of
runAsUser specified for the Container. It overrides the value 1000 that is specified for the Pod.

1.16 Let us exit the shell.

$ exit

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
Set capabilities for a Container
1.17 Let us view the manifest, by executing the below command.

# cat -n ~/k8s-security/security-context-3.yaml
Output:

1.18 Let us create the pod, by executing the below command.

# kubectl create -f ~/k8s-security/security-context-3.yaml

Output:

1.19 Let us verify the pod is running, by executing the below command.

# kubectl get pod security-context-demo-3

Output:

1.20 Let us get into shell of the running Container

# kubectl exec -it security-context-demo-3 -- sh


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.21 In the shell container, list the running process.

$ ps aux
Output:

1.22 Let us view the status of the process 1, by executing the below command

# cat /proc/1/status
Output:

Note: Make a note of the capabilities bitmap

1.23 Let us exit the shell.


$ exit

1.24 Let us view the manifest, by executing the below command.

# cat -n ~/k8s-security/security-context-4.yaml
Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.25 Let us create the pod, by executing the below command.

# kubectl create -f ~/k8s-security/security-context-4.yaml

Output:

1.26 Let us verify the pod is running, by executing the below command.

# kubectl get pod security-context-demo-4

Output:

1.27 Let us get into shell of the running Container

# kubectl exec -it security-context-demo-4 -- sh


Output:

1.28 Let us view the status of the process 1, by executing the below command

# cat /proc/1/status
Output:

Note: In the capability bitmap of the first container, bits 12 and 25 are clear. In the second
container, bits 12 and 25 are set. Bit 12 is CAP_NET_ADMIN, and bit 25 is CAP_SYS_TIME.

Note: Linux capability constants have the form CAP_XXX. But when you list capabilities in your
Container manifest, you must omit the CAP_ portion of the constant. For example, to add
CAP_SYS_TIME, include SYS_TIME in your list of capabilities

See capability.h for definitions of the capability constants.

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/
1.29 Let us exit the shell.
$ exit
1.30 Let us clean-up by executing the below command.

# kubectl delete -f ~/k8s-security/


Output:

Student Material – Do Not Re-distribute. For any queries contact:


[email protected] or https://www.linkedin.com/in/naushadpasha/

You might also like