Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add SECURITY_GUIDANCE.md #821

Merged
merged 1 commit into from
Mar 6, 2020
Merged

docs: add SECURITY_GUIDANCE.md #821

merged 1 commit into from
Mar 6, 2020

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Mar 4, 2020

Issue number:
#766

Description of changes:
Adds documentation for security recommendations and example configurations.

Testing done:
Verified that a specially crafted pod was rejected by the example PSP policy.

apiVersion: v1
kind: Pod
metadata:
  name: attack-pod
spec:
  volumes:
  - name: api-socket
    hostPath:
      path: /run/api.sock
  hostNetwork: true
  hostIPC: true
  hostPID: true
  securityContext:
    runAsUser: 1
    runAsGroup: 1
    fsGroup: 274
    seLinuxOptions:
      user: system_u
      role: system_r
      type: super_t
      level: s0
  containers:
  - name:  pause
    image: k8s.gcr.io/pause
    volumeMounts:
    - mountPath: /run/api.sock
      name: api-socket
    securityContext:
      allowPrivilegeEscalation: true
      privileged: true

Error from server (Forbidden): error when creating "attack-pod.yaml": pods "attack-pod" is forbidden: unable to validate against any pod security policy: [spec.securityContext.fsGroup: Invalid value: []int64{274}: group 274 must be in the ranges: [{1000 65535}] spec.securityContext.seLinuxOptions.type: Invalid value: "super_t": must be container_t spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.securityContext.hostIPC: Invalid value: true: Host IPC is not allowed to be used spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.runAsUser: Invalid value: 1: must be in the ranges: [{1000 65535}] spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "super_t": must be container_t spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed]

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

tjkirch
tjkirch reviewed Mar 4, 2020
View reviewed changes
Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the policy in place, you were able to do normal, useful things with a pod, right? :)

SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
samuelkarp
samuelkarp reviewed Mar 4, 2020
View reviewed changes
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Show resolved Hide resolved
@bcressey
Copy link
Contributor Author

bcressey commented Mar 4, 2020

With the policy in place, you were able to do normal, useful things with a pod, right? :)

This policy is sufficiently restrictive that it won't work for all workloads; some of the pods in the kube-system namespace need a different policy to function correctly.

jhaynes
jhaynes reviewed Mar 4, 2020
View reviewed changes
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
jhaynes
jhaynes reviewed Mar 4, 2020
View reviewed changes
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
abby-fuller
abby-fuller approved these changes Mar 4, 2020
View reviewed changes
Copy link

@abby-fuller abby-fuller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was in the middle of commenting more things, but you addressed them on the fly!

SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
jhaynes
jhaynes reviewed Mar 4, 2020
View reviewed changes
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
@jhaynes jhaynes mentioned this pull request Dec 14, 2022
Closed
@bcressey bcressey merged commit 04c3ca8 into develop Mar 6, 2020
@bcressey bcressey deleted the security-recommendations branch March 6, 2020 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjkirch tjkirch tjkirch approved these changes

@iliana iliana iliana approved these changes

@jhaynes jhaynes jhaynes approved these changes

@abby-fuller abby-fuller abby-fuller approved these changes

@stewartsmith stewartsmith Awaiting requested review from stewartsmith

@samuelkarp samuelkarp Awaiting requested review from samuelkarp

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bcressey @tjkirch @iliana @samuelkarp @jhaynes @abby-fuller