Cloud Computing, DevOps, Kubernetes

6 Mins Read

Ensuring Pod Security for Containerized Applications in Kubernetes

Voiced by Amazon Polly

Overview

In Kubernetes Pod Security Standards, different isolation levels for Pods are specified. With the help of these standards, you may specify how you want to clearly and consistently limit the behavior of pods.

Kubernetes provides a built-in Pod Security admission controller to enforce the Pod Security Standards. When creating a pod, security constraints are implemented at the namespace level.

Freedom Month Sale — Upgrade Your Skills, Save Big!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

Pod Security Modes and Levels

Pod Security admission places requirements on a Pod’s Security Context and other related fields according to the three levels defined by the Pod Security Standards:

  • Privileged – The Privileged policy is wide-open and entirely unrestricted. Typically, this policy targets workloads at the system and infrastructure levels that privileged, trusted users control.
  • Baseline – The Baseline policy is minimally restrictive policy that prevents known privilege escalations. It allows the default (minimally specified) Pod configuration. This policy is targeted at application operators and developers of non-critical applications.
  • Restricted – The Restricted policy is aimed at enforcing current Pod hardening best practices at the expense of some compatibility. It is targeted at operators, developers of security-critical applications, and lower-trust users. You can configure namespaces to define the admission control mode you want to use for pod security in each namespace.
  • Enforce – In this mode, policy violations will cause the pod to be rejected for creation.
  • Audit – Policy violations will trigger the addition of an audit annotation to the event recorded in the audit log, but pod creation will be allowed.
  • Warn – Policy violations will trigger a user-facing warning, but pod creation will be allowed.

Step-by-Step Guide

Step 1. Create an Amazon EC2 instance and AWS IAM Role.

  • Create an AWS IAM role
  • Add permission to the role to give Amazon EC2 full access and administrator access to Amazon EC2. Give the Role name and click on Create.
  • Create Amazon EC2 instance of t2.medium and ubuntu 20.4 LTS.
  • Under the advanced setting, attach the AWS IAM instance profile and select the role you created.
  • Add the following tags to your instance.

Note: In the security group, make sure to add 6443, 2379 port number or else you can also allow all ports.

Step 2. After cluster setup, perform the below tasks.

Create 3 namespace using the following command

Assign labels to the namespace by executing following command:

Step 3. Create below YAML files

  • privileged-pod.yaml – giving priviliged access to the pod
  • baseline-pod.yaml – giving baseline access to the pod
  • restricted-pod.yaml – restricting privileged access to the pod

Step 4. Create different scenarios for pod security.

In this scenario, we have given enforce mode in the namespace label as mentioned in 2nd step

  • Execute the below commands none of them should throw an error.
  • Execute the below command to create a pod in a different namespace.

This command should throw an error because we are trying to execute a privileged access pod in a restricted mode namespace. In this case pod will not create.

This command should throw an error because we are trying to execute a privileged access pod in baseline level namespace, which should not have privileged access in this case pod will not create.

This command should throw an error because we are trying to execute a baseline pod with capabilities in a restricted level namespace which does not allow any capabilities to be added in this case pod will not create.

step4

Make sure to delete the pod by using the command below in each namespace before going to the next scene.

kubectl delete -f <yaml file name> -n <namespace name> –force

In this scenario, we have given a warning mode in the namespace label by executing the commands below.

step4b

step4c

step4d

  • Execute the below commands none of them should throw an error and warning.
  • Execute the below command to create a pod in a different namespace.

In this case pod will be created by throwing and warning message of violation of restricted level.

In this case pod will be created by throwing and warning message of violation of baseline level.

In this case pod will be created by throwing and warning message of violation of restricted level.

step4e

Make sure to delete the pod by using the command below in each namespace before going to the next scenario.

In this scenario, we have given Audit mode in the namespace label by executing the commands below.

change label: pod-security.kubernetes.io/enforce=baseline as pod-security.kubernetes.io/audit=baseline

step4f

change label: pod-security.kubernetes.io/enforce=restricted as pod-security.kubernetes.io/audit=restricted

step4g

change label: pod-security.kubernetes.io/enforce=privileged as pod-security.kubernetes.io/audit=privileged

step4h

Step 5. Enabling Auditing.

To enable auditing, you need to perform below steps:

This defines what we need to audit. In this yaml file, we are auditing request, request response, and metadata for the namespace prod.

Below yaml file you need to store at location:  /etc/kubernetes/

Now, to enable auditing, we need to make some changes in the api-server configuration file. Before making any changes to the original kube-apiserver.yaml, it is best practice to make a copy of the file and then make the changes.

Go to /etc/kubernetes/manifests/kube-apiserver.yaml and add the below flags:

Then you need to mount the yaml file to the volume so the API server can read that file. And also, mount the log path where you need to store the test.log file. For storing the log file, you can give the path in the volume mount as shown below:

Add this in the volume mount section.

Add this in the volume section.

Execute the below command to create pod in different namespace.

  1. kubectl apply -f privileged-pod.yaml -n prod //In this case pod will be created but the logs will be send to audit.log file which we specified in the kube-apiserve.yaml.
  2. kubectl apply -f baseline-pod.yaml -n prod //In this case pod will be created but the logs will be sent to the audit.log file which we specified in the kube-apiserve.yaml.
  3. Execute command tail –f /var/log/test.log to see the logs. After execution test.log file will create.

Conclusion

Pod security is critical to ensuring the safety and integrity of containerized applications within a Kubernetes cluster. By implementing effective pod security measures, organizations can mitigate potential security risks, protect sensitive data, and maintain the overall stability of their infrastructure.

Freedom Month Sale — Discounts That Set You Free!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. What is meant by pod security?

ANS: – Pod Security Policies (PSPs) are admission controllers in Kubernetes that provide authorization policies for creating and updating pods, allowing fine-grained control over security-sensitive aspects of pod specifications. They operate at the cluster level and enforce security policies for users and service accounts.

2. Why is pod security important in Kubernetes?

ANS: – Pod security is important in Kubernetes to ensure containerized applications’ isolation, integrity, and confidentiality. Organizations can protect sensitive data, prevent unauthorized access, and mitigate potential security risks by implementing pod security measures.

WRITTEN BY Shubh Dadhich

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!