-
Assign the following initiate to a Azure ARC AKS cluster
- /providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00
- Kubernetes cluster pod security restricted standards for Linux-based workloads
-
Wait until the policies have been applied to the cluster (takes around 30 mins)
- You can execute “kubectl get constrainttemplates -A” . if it returns a list of entries that means its been applied
-
Apply 0.policy.security.yaml.
- “Kubectl apply -f 0.policy.security.yaml “
- This will attempt to create the app in the default namespace but will be rejected because of our policy enforcement
- The list of enforcements applied can be talked about. Like privileged access and mount paths
-
To overcome these security constraints we apply a fixed version of the application
- Kubectl apply -f 1.policy.security.yaml
- The command should succeed and you will see the app starting up
- “Kubectl get pod”
Created
February 14, 2023 08:22
-
-
Save ivanthelad/ea7fa1d0178eb2da8b673a6866b2ab0e to your computer and use it in GitHub Desktop.
A insecure setup demo with policy on azure
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: security-context-demo-4 | |
| spec: | |
| containers: | |
| - name: sec-ctx-4 | |
| image: nginx:latest | |
| securityContext: | |
| privileged: true | |
| allowPrivilegeEscalation: true | |
| capabilities: | |
| add: ["NET_ADMIN", "SYS_TIME"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: security-context-demo-5 | |
| spec: | |
| securityContext: | |
| seccompProfile: | |
| type: RuntimeDefault | |
| runAsNonRoot: true | |
| runAsUser: 1000 | |
| runAsGroup: 3000 | |
| fsGroup: 2000 | |
| supplementalGroups: [2000] | |
| containers: | |
| - name: sec-ctx-4 | |
| image: nginx:latest | |
| securityContext: | |
| privileged: false | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| add: ["SETUID", "NET_RAW"] | |
| volumeMounts: | |
| - mountPath: /etc/nginx/conf.d/ | |
| name: nginx-dir | |
| - mountPath: /var/cache/nginx/client_temp | |
| name: nginx-empty | |
| - mountPath: /var/run/ | |
| name: nginx-run | |
| volumes: | |
| - name: nginx-dir | |
| emptyDir: { } | |
| - name: nginx-empty | |
| emptyDir: { } | |
| - name: nginx-run | |
| emptyDir: { } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment