{{tag>Brouillon K8S Sécurité}} # Notes Kubernetes k8s - sécurite Voir : * [[Scan de vulnérabilité pour les images de conteneurs]] * https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ * https://blog.octo.com/securite-pods-isolation-runtimeclass * https://github.com/BishopFox/badPods * https://medium.com/@ninapepite/outils-de-s%C3%A9curit%C3%A9-gratuit-pour-kubernetes-introduction-%C3%A0-m9sweeper-edf9b3800e19 * Kube-bench * https://www.checkpoint.com/fr/cyber-hub/cloud-security/what-is-kubernetes/kubernetes-runtime-security/ * https://www.wiz.io/academy/kubernetes-security-best-practices * https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html * https://blog.stephane-robert.info/docs/conteneurs/orchestrateurs/outils/popeye/ Containers ! * https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ * https://docs.docker.com/engine/security/#docker-daemon-attack-surface ## Ensure Containers Do Not Run As Root Source : https://www.fairwinds.com/blog/kubernetes-basics-tutorial-ensure-containers-do-not-run-as-root ~~~yaml apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsNonRoot: true runAsUser: 1000 ~~~ ~~~yaml apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: containers: - name: busybox image: busybox securityContext: runAsNonRoot: true runAsUser: 1000 # allowPrivilegeEscalation: false # privileged: false ~~~ If there are no non-root users in the Docker image, you may also need to create one in the Dockerfile, with: ~~~bash RUN useradd nonroot -u 1000 --user-group # useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead. ~~~ ### Interdire le host namespace Comment ? ~~~yaml spec: hostPID: true hostIPC: true hostNetwork: true volumes: - name: host-filesystem hostPath: path: / ~~~ ### Autres Source : https://medium.com/@mughal.asim/kubernetes-security-contexts-series-part-3-running-containers-as-non-root-0b7ebd54636c * ''runAsNonRoot: true'' : Ensures that the container does not run as root. If the image’s default user is root, Kubernetes will refuse to start the pod. * ''runAsUser: 1000'' & ''runAsGroup: 3000'' Forces the container to use a specific non-root user (UID 1000) and group (GID 3000). * ''fsGroup: 2000'' Ensures that files created in shared volumes have the correct group ownership. * Container Security Settings: ''Setting privileged: false'', ''allowPrivilegeEscalation: false'', and dropping all capabilities dramatically limits what processes within the container can do. spec! runAsUser: 0 securityContext: allowPrivilegeEscalation: true Utiliser * ServiceAccount * les RBAC * mTLS pour les services * EncryptionConfiguration resource pour les servrets (HashiCorp Vault) * Sécuriser etcd * Don't allow pods that run containers with root * SecurtyPolicy (Open Policy Agent / Kyverno) Utiliser * Les NetworkPolicy (par défault tous les noeuds peuvent communiquer avec tous les noeuds Oou ServiceMesh (Side car) ## Outils analyse sécu Voir : * m9sweeper ### Kube bench Step 1: Download the official job manifest Clone the kube-bench repo or grab job.yaml from the GitHub releases page. ~~~bash git clone https://github.com/aquasecurity/kube-bench.git cd kube-bench # ou kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml ~~~ Step 2: Apply the job to your cluster ~~~bash kubectl apply -f job.yaml ~~~ Step 3: Watch the pod until it shows as Completed ~~~bash kubectl get pods -w ~~~ Step 4: Review the results ~~~bash #kubectl logs -l job-name=kube-bench kubectl logs pod/kube-bench-6zgst ~~~ ~~~bash podman run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest run ~~~ ### kubescape Voir : * https://blog.stephane-robert.info/docs/securiser/conteneurs/kubescape/ Install ~~~bash kubectl krew update kubectl krew install kubescape ~~~ Scan ~~~bash kubectl kubescape scan kubescape scan --format html --output results.html ~~~ Voir Trivy [[Scan de vulnérabilité pour les images de conteneurs]]