filmov
tv
Kubernetes Security | Pod Security Admission Framework
Показать описание
Pod Security Admission (PSA) framework
======================================
A pod trying to run as root user
================================
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app4
name: app4
namespace: default
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: false
runAsUser: 0
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
Another pod trying to gain host filesystem access
=================================================
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: host-root
mountPath: /host/root
volumes:
- name: host-root
hostPath:
path: /
A pod is trying to gain container runtime access to run its own containers on host:
==================================================================================
apiVersion: v1
kind: Pod
metadata:
name: compromised-pod
spec:
containers:
- name: compromised-container
image: alpine
command: ["/bin/sh", "-c", "sleep 3600"] # Simulate a long-running process
securityContext:
allowPrivilegeEscalation: true
volumeMounts:
- name: docker-socket
volumes:
- name: docker-socket
hostPath:
A pod with all securityContext requirements:
==============================================================
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app3
name: app3
namespace: dev
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
runAsNonRoot: true
runAsUser: 102
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault # Use default seccomp profile
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
Labels for baseline:
====================
Labels for restricted:
=====================
How to apply a label on namespace:
===================================
kubernetes security
security
kubernetes
container security
kubernetes security tutorial
kubernetes security context
kubernetes security interview questions
kubernetes security tools
pod security admission
kubernetes security best practices
let's learn kubernetes security
kubernetes security challenges
chef kubernetes security posture management
pod security policies,cloud security
kubernetes admission controller
different kubernetes admission controller
#kubernetes #security
======================================
A pod trying to run as root user
================================
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app4
name: app4
namespace: default
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: false
runAsUser: 0
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
Another pod trying to gain host filesystem access
=================================================
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: host-root
mountPath: /host/root
volumes:
- name: host-root
hostPath:
path: /
A pod is trying to gain container runtime access to run its own containers on host:
==================================================================================
apiVersion: v1
kind: Pod
metadata:
name: compromised-pod
spec:
containers:
- name: compromised-container
image: alpine
command: ["/bin/sh", "-c", "sleep 3600"] # Simulate a long-running process
securityContext:
allowPrivilegeEscalation: true
volumeMounts:
- name: docker-socket
volumes:
- name: docker-socket
hostPath:
A pod with all securityContext requirements:
==============================================================
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app3
name: app3
namespace: dev
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged
securityContext:
runAsNonRoot: true
runAsUser: 102
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault # Use default seccomp profile
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
Labels for baseline:
====================
Labels for restricted:
=====================
How to apply a label on namespace:
===================================
kubernetes security
security
kubernetes
container security
kubernetes security tutorial
kubernetes security context
kubernetes security interview questions
kubernetes security tools
pod security admission
kubernetes security best practices
let's learn kubernetes security
kubernetes security challenges
chef kubernetes security posture management
pod security policies,cloud security
kubernetes admission controller
different kubernetes admission controller
#kubernetes #security
0:17:09
Kubernetes Security - Pod Security Standards | How to use them to enforce security contexts
0:41:49
Day 54 - Kubernetes Pod Security Standard, Linux Capabilities, and Security Context
0:11:28
Kubernetes Security 2 - Pod Security Policy for Kubernetes Cluster
0:29:41
Kubernetes Security Best Practices you need to know | THE Guide for securing your K8s cluster!
0:35:58
Kubernetes Security - Pod Security Policies (PodSecurityPolicy) - 11
0:27:20
Setting Up Pod Security Policies in Kubernetes
0:44:45
Kubernetes v1.25 - Pod Security Admission Control - PodSecurityPolicy Successor
0:09:08
Kubernetes Security: Pod Security Context
1:19:30
90 Days DevOps Challenge | Day 26 | Kubernetes Volumes, ConfigMaps & Secrets Explained
0:05:23
Kubernetes - Pod Security
0:23:01
Kubernetes Security - Security Context for a Pod or Container - 13
0:00:36
Secure Kubernetes Pods The RIGHT way #coding #cybersecurity #kubernetes
0:56:33
Webinar: Understanding and Deploying Kubernetes Pod Security Policies
0:09:43
Pod Security Policies in Kubernetes
0:41:05
Using Pod Security Policies to harden your Kubernetes cluster
1:38:01
Kubernetes Security, Part 2: Managing POD Run Time Security
0:20:40
Kubernetes Pod Spec: Better Defaults & Security
1:11:52
Kubernetes Security | Pod Level Security and Configuration in K8s | K21Academy
1:37:10
TGI Kubernetes 171: Pod Security Problems
0:31:24
Safeguarding Kubernetes: Pod Security Admission, NeuVector & Kyverno in the Ring - Marie Padberg
1:48:01
TGI Kubernetes 078: Pod Security Policies
0:14:47
Kubernetes Security - Security Contexts | How to use them to make your Containers and Pods secure
0:05:14
EKS Pod Identity vs IRSA | Securely Connect Kubernetes Pods to AWS Services
0:40:01
Kubernetes Security After Pod Security Policies Removal - Víctor Cuadrado Juan & Raúl Cabello Ma...
Комментарии