Voiced by Amazon Polly |
Overview
In Kubernetes Pod Security Standards, different isolation levels for Pods are specified. With the help of these standards, you may specify how you want to clearly and consistently limit the behavior of pods.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Pod Security Modes and Levels
Pod Security admission places requirements on a Pod’s Security Context and other related fields according to the three levels defined by the Pod Security Standards:
- Privileged – The Privileged policy is wide-open and entirely unrestricted. Typically, this policy targets workloads at the system and infrastructure levels that privileged, trusted users control.
- Baseline – The Baseline policy is minimally restrictive policy that prevents known privilege escalations. It allows the default (minimally specified) Pod configuration. This policy is targeted at application operators and developers of non-critical applications.
- Restricted – The Restricted policy is aimed at enforcing current Pod hardening best practices at the expense of some compatibility. It is targeted at operators, developers of security-critical applications, and lower-trust users. You can configure namespaces to define the admission control mode you want to use for pod security in each namespace.
- Enforce – In this mode, policy violations will cause the pod to be rejected for creation.
- Audit – Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but pod creation will be allowed.
- Warn – Policy violations will trigger a user-facing warning, but pod creation will be allowed.
Step-by-Step Guide
Step 1. Create an Amazon EC2 instance and AWS IAM Role.
- Create an AWS IAM role
- Add permission to the role to give Amazon EC2 full access and administrator access to Amazon EC2. Give the Role name and click on Create.
- Create Amazon EC2 instance of t2.medium and ubuntu 20.4 LTS.
- Under the advanced setting, attach the AWS IAM instance profile and select the role you created.
- Add the following tags to your instance.
Note: In the security group, make sure to add 6443, 2379 port number or else you can also allow all ports.
Step 2. After cluster setup, perform the below tasks.
Create 3 namespace using the following command
1 2 3 |
kubectl create ns dev kubectl create ns staging kubectl create ns prod |
Assign labels to the namespace by executing following command:
1 2 3 |
kubectl label ns dev pod-security.kubernetes.io/enforce=baseline kubectl label ns prod pod-security.kubernetes.io/enforce=restricted kubectl label ns staging pod-security.kubernetes.io/enforce=privileged |
Step 3. Create below YAML files
- privileged-pod.yaml – giving priviliged access to the pod
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
apiVersion: v1 kind: Pod metadata: name: busypod-priliveged spec: containers: - image: busybox name: busybox command: ["sh", "-c", 'while true; do echo "Running..."; sleep 2h; done'] imagePullPolicy: Always securityContext: privileged: true runAsUser: 0 allowPrivilegeEscalation: true readOnlyRootFilesystem: false capabilities: add: ["CAP_SYS_BOOT"] |
- baseline-pod.yaml – giving baseline access to the pod
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
apiVersion: v1 kind: Pod metadata: name: busypod-baseline spec: containers: - image: busybox name: busybox command: ["sh", "-c", 'while true; do echo "Running..."; sleep 2h; done'] imagePullPolicy: Always securityContext: privileged: false capabilities: add: ["CHOWN"] |
- restricted-pod.yaml – restricting privileged access to the pod
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
apiVersion: v1 kind: Pod metadata: name: busypod-restricted spec: containers: - image: busybox name: busybox command: ["sh", "-c", 'while true; do echo "Running..."; sleep 2h; done'] imagePullPolicy: Always securityContext: runAsUser: 3000 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" |
Step 4. Create different scenarios for pod security.
In this scenario, we have given enforce mode in the namespace label as mentioned in 2nd step
- Execute the below commands none of them should throw an error.
1 2 3 |
kubectl apply -f privileged-pod.yaml -n staging kubectl apply -f baseline-pod.yaml -n dev kubectl apply -f restricted-pod.yaml -n prod |
- Execute the below command to create a pod in a different namespace.
1 |
kubectl apply -f privileged-pod.yaml -n prod |
This command should throw an error because we are trying to execute a privileged access pod in a restricted mode namespace. In this case pod will not create.
1 |
kubectl apply -f privileged-pod.yaml -n dev |
This command should throw an error because we are trying to execute a privileged access pod in baseline level namespace, which should not have privileged access in this case pod will not create.
1 |
kubectl apply -f baseline-pod.yaml -n prod |
This command should throw an error because we are trying to execute a baseline pod with capabilities in a restricted level namespace which does not allow any capabilities to be added in this case pod will not create.
Make sure to delete the pod by using the command below in each namespace before going to the next scene.
kubectl delete -f <yaml file name> -n <namespace name> –force
In this scenario, we have given a warning mode in the namespace label by executing the commands below.
1 |
kubectl edit ns dev //change label: pod-security.kubernetes.io/enforce=baseline as pod-security.kubernetes.io/warn=baseline |
1 |
kubectl edit ns prod //change label: pod-security.kubernetes.io/enforce=restricted as pod-security.kubernetes.io/warn=restricted |
1 |
kubectl edit ns staging //change label: pod-security.kubernetes.io/enforce=privileged as pod-security.kubernetes.io/warn=privileged |
- Execute the below commands none of them should throw an error and warning.
1 2 3 |
kubectl apply -f privileged-pod.yaml -n staging kubectl apply -f baseline-pod.yaml -n dev kubectl apply -f restricted-pod.yaml -n prod |
- Execute the below command to create a pod in a different namespace.
1 |
kubectl apply -f privileged-pod.yaml -n prod |
In this case pod will be created by throwing and warning message of violation of restricted level.
1 |
kubectl apply -f privileged-pod.yaml -n dev |
In this case pod will be created by throwing and warning message of violation of baseline level.
1 |
kubectl apply -f baseline-pod.yaml -n prod |
In this case pod will be created by throwing and warning message of violation of restricted level.
Make sure to delete the pod by using the command below in each namespace before going to the next scenario.
1 |
kubectl delete -f <yaml file name> -n <namespace name> --force |
In this scenario, we have given Audit mode in the namespace label by executing the commands below.
1 |
kubectl edit ns dev |
change label: pod-security.kubernetes.io/enforce=baseline as pod-security.kubernetes.io/audit=baseline
1 |
kubectl edit ns prod |
change label: pod-security.kubernetes.io/enforce=restricted as pod-security.kubernetes.io/audit=restricted
1 |
kubectl edit ns staging |
change label: pod-security.kubernetes.io/enforce=privileged as pod-security.kubernetes.io/audit=privileged
Step 5. Enabling Auditing.
To enable auditing, you need to perform below steps:
1 |
create audit-policy.yaml |
This defines what we need to audit. In this yaml file, we are auditing request, request response, and metadata for the namespace prod.
Below yaml file you need to store at location: /etc/kubernetes/
1 2 3 4 5 6 7 8 |
apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata namespaces: ["prod"] resources: - group: "" resources: ["pods/log", "pods/status"] |
Now, to enable auditing, we need to make some changes in the api-server configuration file. Before making any changes to the original kube-apiserver.yaml, it is best practice to make a copy of the file and then make the changes.
Go to /etc/kubernetes/manifests/kube-apiserver.yaml and add the below flags:
1 2 3 |
- --audit-policy-file=/etc/kubernetes/audit-policy.yaml - --audit-log-path=/var/log/test.log - --audit-log-maxage=30 |
Then you need to mount the yaml file to the volume so the API server can read that file. And also, mount the log path where you need to store the test.log file. For storing the log file, you can give the path in the volume mount as shown below:
Add this in the volume mount section.
1 2 3 4 5 6 7 |
volumeMounts: - mountPath: /etc/kubernetes/audit-policy.yaml name: audit readOnly: true - mountPath: /var/log/test.log name: audit-log readOnly: false |
Add this in the volume section.
1 2 3 4 5 6 7 8 9 |
volumes: - name: audit hostPath: path: /etc/kubernetes/audit-policy.yaml type: File - name: audit-log hostPath: path: /var/log/test.log type: FileOrCreate |
Execute the below command to create pod in different namespace.
- kubectl apply -f privileged-pod.yaml -n prod //In this case pod will be created but the logs will be send to audit.log file which we specified in the kube-apiserve.yaml.
- kubectl apply -f baseline-pod.yaml -n prod //In this case pod will be created but the logs will be sent to the audit.log file which we specified in the kube-apiserve.yaml.
- Execute command tail –f /var/log/test.log to see the logs. After execution test.log file will create.
Conclusion
Pod security is critical to ensuring the safety and integrity of containerized applications within a Kubernetes cluster. By implementing effective pod security measures, organizations can mitigate potential security risks, protect sensitive data, and maintain the overall stability of their infrastructure.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. What is meant by pod security?
ANS: – Pod Security Policies (PSPs) are admission controllers in Kubernetes that provide authorization policies for creating and updating pods, allowing fine-grained control over security-sensitive aspects of pod specifications. They operate at the cluster level and enforce security policies for users and service accounts.
2. Why is pod security important in Kubernetes?
ANS: – Pod security is important in Kubernetes to ensure containerized applications’ isolation, integrity, and confidentiality. Organizations can protect sensitive data, prevent unauthorized access, and mitigate potential security risks by implementing pod security measures.

WRITTEN BY Shubh Dadhich
Comments