📦
secure-kubernetes-development
  • README
  • Setup
    • Requirements and Setup
      • Setup Google GKE
  • Linux Security Basics
    • Linux & Container Basics
  • Application Security
    • Sample Spring Boot Application
  • Container Security
    • Root Container
    • Rootless Container
    • Rootless Container with JIB
    • Rootless Container with Paketo
  • Kubernetes Security
    • Initial Unsafe K8s Deployment
    • Safe K8s Deployment with Pod Security Context
    • Safe K8s Deployment with Pod Security Admission
    • Safe K8s Deployment with Open Policy Agent
  • Further Resources
    • Kubernetes Authorization (RBAC)
    • Helpful Tools for Container & K8s Security
    • List of Further Resources
Powered by GitBook
On this page
  • Deploy the application
  • Static analysis of Deployment
  • Next

Was this helpful?

  1. Kubernetes Security

Initial Unsafe K8s Deployment

PreviousRootless Container with PaketoNextSafe K8s Deployment with Pod Security Context

Last updated 2 years ago

Was this helpful?

This deploys the demo application to Kubernetes using a standard kubernetes yaml file running the container using root user.

For details on the demo application see .

Deploy the application

The corresponding container image is pulled from docker hub repository.

The application is deployed using the following deployment yaml file k8s/deploy.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: hello-root
  name: hello-root
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-root
  template:
    metadata:
      labels:
        app: hello-root
    spec:
      containers:
      - image: andifalk/hello-root:latest
        name: hello-root
        readinessProbe:
          httpGet:
            path: /actuator/health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
      restartPolicy: Always

Just deploy it by typing kubectl apply -f ./deploy.yaml in directory k8s.

Static analysis of Deployment

Please note that the container is running as root by default and kubernetes also does not prohibit this by default!

kubeaudit nonroot -n default

This should result in an output similar to this:

INFO[0000] Not running inside cluster, using local config
ERRO[0000] RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!  Container=hello-root...
ERRO[0000] RunAsNonRoot is not set in ContainerSecurityContext, which results in root user being allowed!  Container=hello-root...

An alternative tool for this is popeye, just run it against your current cluster:

popeye

It is also possible to check directly your deployment yaml file:

kube-score score ./deploy.yaml

This will show an output similar to this one:

[CRITICAL] Container Security Context
        · hello-root -> Container has no configured security context
            Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
        · hello-root -> CPU limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.cpu
        · hello-root -> Memory limit is not set
            Resource limits are recommended to avoid resource DDOS. Set resources.limits.memory

You may also check that the user of the running container is not root using (check your pod name before):

kubectl get pods
...
kubectl exec hello-root-59f59fb9b8-878rk -it -- whoami

Note: If you have deployed the JIB container image then the base image is a distroless image meaning that no shell and no whoami command is inside the container. Therefore, you cannot use the command above.

Next

Now you can prove that this container does run with root by using a tool like .

hello spring boot application
andifalk/hello-root
kubeaudit
Next: K8s Pod Security Context