kube-benchの使用例 2. kube-bench の実行 # kubectl apply -f job-master.yaml manage job.batch/kube-bench-master created # kubectl get pods NAME READY STATUS RESTARTS AGE kube-bench-master-kvjt7 0/1 Completed 0 64m STATUS が Completed になるまで待つ
kube-benchの使用例 3.結果の確認 manage # kubectl logs kube-bench-master-kvjt7 (省略) [FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) (省略) == Remediations master == (省略) 1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server. (省略) [FAIL]については、設定方法まで出力されるの で、その内容に従って実際に設定を行う この場合では、Control-Planeノードにある 「/etc/kubernetes/manifests/kube- apiserver.yaml」の「--enable-admission- plugins」の箇所に「PodSecurityPolicy」を追 加する。
Cluster-scopeのリソースを対象とする場合、ClusterRoleとClusterRoleBindingを利用する Cluster Namespace A Namesapce B RoleBinding RoleBinding Role User User User ClusterRoleBinding ClusterRole
# kubectl --as=system:serviceaccount:default:pod-sa get pods manage No resources found in default namespace. # kubectl --as=system:serviceaccount:default:pod-sa run nginx --image=nginx Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:pod-sa" cannot create resource "pods" in API group "" in the namespace "default" pod-saサービスアカウントでPodの一覧を取得 pod-saサービスアカウントでPodを作成しようと試みる
# kubectl --as=system:serviceaccount:default:namespace-sa create namespace mynamespace manage Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:namespace-sa" cannot create resource "namespaces" in API group "" at the cluster scope namespace-saサービスアカウントでNamespaceを作成しようと試みる # kubectl --as=system:serviceaccount:default:namespace-sa get namespaces NAME STATUS AGE calico-apiserver Active 4h15m calico-system Active 4h16m default Active 4h18m kube-node-lease Active 4h18m kube-public Active 4h18m kube-system Active 4h18m tigera-operator Active 4h16m namespace-saサービスアカウントでNamespaceの一覧を取得
Field Names Control Aspect privileged Running of privileged containers hostPID, hostIPC Usage of host namespaces hostNetwork, hostPorts Usage of host networking and ports volumes Usage of volume types allowedHostPaths Usage of the host filesystem allowedFlexVolumes Allow specific FlexVolume drivers fsGroup Allocating an FSGroup that owns the pod's volumes readOnlyRootFilesystem Requiring the use of a read only root file system runAsUser, runAsGroup, supplementalGroups The user and group IDs of the container allowPrivilegeEscalation, defaultAllowPrivilegeEscalation Restricting escalation to root privileges defaultAddCapabilities, requiredDropCapabilities, allowedCapabilities Linux capabilities seLinux The SELinux context of the container allowedProcMountTypes The Allowed Proc Mount types for the container annotations The AppArmor profile used by containers annotations The seccomp profile used by containers forbiddenSysctls,allowedUnsafeSysctls The sysctl profile used by containers https://kubernetes.io/docs/concepts/policy/pod-security-policy/
affiliates Runtime Class Runtime Class Kubernetesには、gVisor や Kata Containers のような OCI Container Runtime を Pod 起動時に選択できる仕 組みがあり、それを利用してコンテナランタイムレベルでセキュリティ対策を行う