Created
October 2, 2019 18:05
-
-
Save yuvipanda/44c9bad0c02ebe7c0059ada9e6bcf657 to your computer and use it in GitHub Desktop.
Secureish hub
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jupyterhub: | |
prePuller: | |
continuous: | |
enabled: false | |
scheduling: | |
userScheduler: | |
enabled: false | |
hub: | |
networkPolicy: | |
enabled: true | |
extraConfig: | |
01-no-escalation: | | |
c.KubeSpawner.extra_container_config = { | |
'securityContext': { | |
# Force container to run as uid 0, regardless of what the image wants | |
# Already set to be default | |
'runAsUser': 1000, | |
# No privilege escalation whatsoever, protects against setuid attacks | |
# (like bugs in 'sudo') | |
# This isn't the default but should be if runAsUser != 0 | |
'allowPrivilegeEscalation': False, | |
# Make sure that 'root' inside container isn't really 'root' outside | |
# container since most of the linux privileges it has are dropped. | |
# This is already the default | |
'privileged': False, | |
} | |
} | |
proxy: | |
networkPolicy: | |
enabled: true | |
singleuser: | |
initContainers: | |
- name: volume-mount-hack | |
image: busybox | |
command: ["sh", "-c", "id && chown 1000:1000 /home/jovyan && ls -lhd /home/jovyan"] | |
securityContext: | |
runAsUser: 0 | |
capabilities: | |
add: | |
- FOWNER | |
volumeMounts: | |
- name: home | |
mountPath: /home/jovyan | |
subPath: "_secureish-home/{username}" | |
storage: | |
type: static | |
static: | |
pvcName: home-nfs | |
subPath: "_securish-home/{username}" | |
profileList: | |
- display_name: PANGEO base image | |
description: "Use the PANGEO base image" | |
kubespawner_override: | |
image: pangeo/pangeo-notebook:2019.08.08 | |
- display_name: Simple Python3 Image | |
description: "Python3 and not much RAM" | |
default: True | |
# Extra denial of access to the kubernetes API, by explicitly unsetting service accounts | |
# Is set to this by default | |
serviceAccountName: null | |
# Disable access to cloud metadata service, which can leak cloud credentials & | |
# other metadata. Is set to this by default. | |
cloudMetadata: | |
enabled: false | |
networkPolicy: | |
# Whitelist DNS, HTTP & HTTPS as only outbound allowable protocols | |
# This protects against many possible attacks, including nfsspy | |
enabled: true | |
egress: | |
- ports: | |
- port: 53 | |
protocol: UDP | |
- ports: | |
- port: 80 | |
protocol: TCP | |
- ports: | |
- port: 443 | |
protocol: TCP | |
falco: | |
customRules: | |
rules-http-call: | | |
- macro: container | |
condition: container.id != host | |
- macro: outbound | |
condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6) | |
- macro: http_port | |
condition: fd.sport=80 | |
- rule: http_request_made | |
desc: Outbound request that was http | |
condition: container and outbound and http_port | |
output: "A HTTP request was made, should be HTTPS instead" | |
priority: WARNING |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment