Notes Kubernetes k8s - sécurite

Voir :

• Scan de vulnérabilité pour les images de conteneurs
• https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
• https://blog.octo.com/securite-pods-isolation-runtimeclass
• https://github.com/BishopFox/badPods
• https://medium.com/@ninapepite/outils-de-s%C3%A9curit%C3%A9-gratuit-pour-kubernetes-introduction-%C3%A0-m9sweeper-edf9b3800e19
• Kube-bench
• https://www.checkpoint.com/fr/cyber-hub/cloud-security/what-is-kubernetes/kubernetes-runtime-security/
• https://www.wiz.io/academy/kubernetes-security-best-practices
• https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
• https://blog.stephane-robert.info/docs/conteneurs/orchestrateurs/outils/popeye/

Containers !

• https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/
• https://docs.docker.com/engine/security/#docker-daemon-attack-surface

Source : https://www.fairwinds.com/blog/kubernetes-basics-tutorial-ensure-containers-do-not-run-as-root

apiVersion: v1
kind: Pod
metadata:
 name: security-context-demo
spec:
 securityContext:
   runAsNonRoot: true
   runAsUser: 1000

apiVersion: v1
kind: Pod
metadata:
 name: security-context-demo
spec:
 containers:
 - name: busybox
   image: busybox
   securityContext:
     runAsNonRoot: true
     runAsUser: 1000
     # allowPrivilegeEscalation: false
     # privileged: false

If there are no non-root users in the Docker image, you may also need to create one in the Dockerfile, with:

RUN useradd nonroot -u 1000 --user-group
# useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead.

Comment ?

spec:
  hostPID: true
  hostIPC: true
  hostNetwork: true
  volumes:
    - name: host-filesystem
      hostPath:
        path: /

Source : https://medium.com/@mughal.asim/kubernetes-security-contexts-series-part-3-running-containers-as-non-root-0b7ebd54636c

• runAsNonRoot: true : Ensures that the container does not run as root. If the image’s default user is root, Kubernetes will refuse to start the pod.
• runAsUser: 1000 & runAsGroup: 3000 Forces the container to use a specific non-root user (UID 1000) and group (GID 3000).
• fsGroup: 2000 Ensures that files created in shared volumes have the correct group ownership.
• Container Security Settings: Setting privileged: false, allowPrivilegeEscalation: false, and dropping all capabilities dramatically limits what processes within the container can do.

spec! runAsUser: 0

securityContext: allowPrivilegeEscalation: true

Utiliser

• ServiceAccount
• les RBAC
• mTLS pour les services
• EncryptionConfiguration resource pour les servrets (HashiCorp Vault)
• Sécuriser etcd
• Don't allow pods that run containers with root
• SecurtyPolicy (Open Policy Agent / Kyverno)

Utiliser

• Les NetworkPolicy (par défault tous les noeuds peuvent communiquer avec tous les noeuds Oou ServiceMesh (Side car)

Voir :

• m9sweeper

Step 1: Download the official job manifest

Clone the kube-bench repo or grab job.yaml from the GitHub releases page.

git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
 
# ou
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml

Step 2: Apply the job to your cluster

kubectl apply -f job.yaml

Step 3: Watch the pod until it shows as Completed

kubectl get pods -w

Step 4: Review the results

#kubectl logs -l job-name=kube-bench
kubectl logs pod/kube-bench-6zgst

podman run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest run 

Voir :

• https://blog.stephane-robert.info/docs/securiser/conteneurs/kubescape/

Install

kubectl krew update
kubectl krew install kubescape

Scan

kubectl kubescape scan
kubescape scan  --format html --output results.html

Voir Trivy Scan de vulnérabilité pour les images de conteneurs