Ensuring Pod Security for Containerized Applications in Kubernetes

Overview

In Kubernetes Pod Security Standards, different isolation levels for Pods are specified. With the help of these standards, you may specify how you want to clearly and consistently limit the behavior of pods.

Pod Security Modes and Levels

Pod Security admission places requirements on a Pod’s Security Context and other related fields according to the three levels defined by the Pod Security Standards:

• Privileged – The Privileged policy is wide-open and entirely unrestricted. Typically, this policy targets workloads at the system and infrastructure levels that privileged, trusted users control.
• Baseline – The Baseline policy is minimally restrictive policy that prevents known privilege escalations. It allows the default (minimally specified) Pod configuration. This policy is targeted at application operators and developers of non-critical applications.
• Restricted – The Restricted policy is aimed at enforcing current Pod hardening best practices at the expense of some compatibility. It is targeted at operators, developers of security-critical applications, and lower-trust users. You can configure namespaces to define the admission control mode you want to use for pod security in each namespace.
• Enforce – In this mode, policy violations will cause the pod to be rejected for creation.
• Audit – Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but pod creation will be allowed.
• Warn – Policy violations will trigger a user-facing warning, but pod creation will be allowed.

Step-by-Step Guide

Step 1. Create an Amazon EC2 instance and AWS IAM Role.

• Create an AWS IAM role
• Add permission to the role to give Amazon EC2 full access and administrator access to Amazon EC2. Give the Role name and click on Create.
• Create Amazon EC2 instance of t2.medium and ubuntu 20.4 LTS.
• Under the advanced setting, attach the AWS IAM instance profile and select the role you created.
• Add the following tags to your instance.

Note: In the security group, make sure to add 6443, 2379 port number or else you can also allow all ports.

Step 2. After cluster setup, perform the below tasks.

Create 3 namespace using the following command

Assign labels to the namespace by executing following command:

Step 3. Create below YAML files

• privileged-pod.yaml – giving priviliged access to the pod

• baseline-pod.yaml – giving baseline access to the pod

• restricted-pod.yaml – restricting privileged access to the pod

Step 4. Create different scenarios for pod security.

In this scenario, we have given enforce mode in the namespace label as mentioned in 2nd step

• Execute the below commands none of them should throw an error.

• Execute the below command to create a pod in a different namespace.

This command should throw an error because we are trying to execute a privileged access pod in a restricted mode namespace. In this case pod will not create.

This command should throw an error because we are trying to execute a privileged access pod in baseline level namespace, which should not have privileged access in this case pod will not create.

This command should throw an error because we are trying to execute a baseline pod with capabilities in a restricted level namespace which does not allow any capabilities to be added in this case pod will not create.

Make sure to delete the pod by using the command below in each namespace before going to the next scene.

kubectl delete -f <yaml file name> -n <namespace name> –force

In this scenario, we have given a warning mode in the namespace label by executing the commands below.

• Execute the below commands none of them should throw an error and warning.

• Execute the below command to create a pod in a different namespace.

In this case pod will be created by throwing and warning message of violation of restricted level.

In this case pod will be created by throwing and warning message of violation of baseline level.

In this case pod will be created by throwing and warning message of violation of restricted level.

Make sure to delete the pod by using the command below in each namespace before going to the next scenario.

In this scenario, we have given Audit mode in the namespace label by executing the commands below.

change label: pod-security.kubernetes.io/enforce=baseline as pod-security.kubernetes.io/audit=baseline

change label: pod-security.kubernetes.io/enforce=restricted as pod-security.kubernetes.io/audit=restricted

change label: pod-security.kubernetes.io/enforce=privileged as pod-security.kubernetes.io/audit=privileged

Step 5. Enabling Auditing.

To enable auditing, you need to perform below steps:

This defines what we need to audit. In this yaml file, we are auditing request, request response, and metadata for the namespace prod.

Below yaml file you need to store at location:  /etc/kubernetes/

Now, to enable auditing, we need to make some changes in the api-server configuration file. Before making any changes to the original kube-apiserver.yaml, it is best practice to make a copy of the file and then make the changes.

Go to /etc/kubernetes/manifests/kube-apiserver.yaml and add the below flags:

Then you need to mount the yaml file to the volume so the API server can read that file. And also, mount the log path where you need to store the test.log file. For storing the log file, you can give the path in the volume mount as shown below:

Add this in the volume mount section.

Add this in the volume section.

Execute the below command to create pod in different namespace.

1. kubectl apply -f privileged-pod.yaml -n prod //In this case pod will be created but the logs will be send to audit.log file which we specified in the kube-apiserve.yaml.
2. kubectl apply -f baseline-pod.yaml -n prod //In this case pod will be created but the logs will be sent to the audit.log file which we specified in the kube-apiserve.yaml.
3. Execute command tail –f /var/log/test.log to see the logs. After execution test.log file will create.

Conclusion

Pod security is critical to ensuring the safety and integrity of containerized applications within a Kubernetes cluster. By implementing effective pod security measures, organizations can mitigate potential security risks, protect sensitive data, and maintain the overall stability of their infrastructure.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Pod Security, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.