- CIS benchmark:
- check inproper configs of a k8s node
- kube-bench run --targets=master
- Falco:
fields
- monitor container activities
- crictl: container id -> pod id -> pod name -> deploy name
- write to
falco_rules.local.yaml
- memorize the following techniques
- macro: user_name_exists
condition: (user.name!="<NA>")
- rule
condition: spawned_process and container and user_name_exists
output: myq6 %evt.time,%user.name,%proc.name,%container.id
tail -f /var/log/syslog > /tmp/aa.log #open another for 30secs
grep myq6 /tmp/aa.log|cut -d ' ' -f9
- OPA(open policy agent):
OPA gatekeeper
- deny pods image from a bad container registry, deny pods without certain labels
k get crd
, k get constraints
k edit requiredlabels xxxx
k edit constraintstemplate requiredlabels
# count ==1 to count > 0
- rego syntax
- ETCD:
etcdctl secret
- you can using etcdctl to read a secret on a node instead of throught k8s
- cacert -> ca.crt, cert-> server.crt, key-> server.key
- get /register/secrets//
- Dashboard
- change configs
- k edit deploy/svc kubernetes-dashboard
- master worker node config: nodeport or cluster
- Replace ingress TLS:
TLS secrets
and edit ingress
- as title said
k get ing
(get the ingress's host name)
curl -kv hostname:31443/api
(check certificate)
k create secret
& k edit ing
- check again
- Audit log policy:
audit policy
, audit log backends
- see what/when/who happened
- there must be a
- level: None
at end #don't log otherwise requests
- trivy:
- just remember its simple syntax:
trivy nginx:1.16.1-alpine
- apparmor:
- deny all file writes
- install by
apparmor_parser -q
- enabled in
metadata.annotations
- schedule node by
spec.nodeSelector
or spec.nodeName
- container.apparmor.security.beta.kubernetes.io/: localhost/
- gvisor: runtime class
- with purpose
- created by RuntimeClass resource manifest. handler is
runsc
. gvisor
is the name
- enabled by
pod.spec.runtimeClassName: gvisor
- check by dmesg in pod
- POD Security Admission: enforce pod security standards with namespace label
- deny pods with bad mount
- apply on namespace --
metadata.labels
- network policy:
network policy
, Default deny all ingress traffic
- be familiar with NP
podSelector: {}
means apply to all pods in namespace
- curl inside a pod as check
- secret leak:
API from a Pod
, config service account for pods
- find out what secrets have been leaked
- possible causes:
env
, volume mount
, service account
-- a sa bind with over-powered roles
- set
ServiceAccount.automountServiceAccountToken
to false
- find the pod that calls a certain syscall
- container is actually process. it's not VM.
- Pod id, node id, container id, process name, pid, strace
crictl inspect
- immutable filesystem:
readOnlyRootFilesystem
, emptyDir
- spec.containers[0].securityContext.readOnlyRootFilesystem = true
emptyDir: {}
- Investigate Break-in via Audit Log:
auditing
grep p.auster audit.log
to get the secret's name and ns
- change password by
echo newpass | base64
and k edit secret vault-token
- an user's permission on namespaces:
RBAC
- create a
clusterrole
and rolebind it on namespaces
- since it's cross multiple namespaces -- system wide, we use
clusterrole
instead of role
.
--resource=
could be multiple while creating clusterrole
- Docker Image Attack Surface
- as title
- modify Dockerfile
build -t
-> run
-> push
- Common dockerfile security problems
- notice all the keywords in the Dockerfile
env
, password
, secrets`
- notice the create and then delete pattern
- verify platform binary:
sha512sum
and uniq
- kill mining process
- netstat -plnt | grep
- cat /proc//exec # tell where the executable is
- kill -9 & rm -f
Self practice