Skip to content

Latest commit

 

History

History
114 lines (92 loc) · 2.73 KB

README.md

File metadata and controls

114 lines (92 loc) · 2.73 KB

Security Context

Security Context
Tips and Tricks

For simulated Practice problems visit KillerCoda.

  1. create a busybox pod, named bi in which security context for user is set as 500 and 800 for group. Run commad sleep 3600 in the pod.

    Solution 

    # generate pod yaml
k run bi --image=busybox --dry-run=client -o yaml > pod.yaml

# modify pod yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: bi
  name: bi
spec:
  securityContext:
    runAsUser: 500
    runAsGroup: 800
  containers:
  - image: busybox
    name: bi
    command: ["sleep","3600"]
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always

# create the pod
k create -f pod.yaml

# check security context values
k exec bi -ti -- id

  2. Run an nginx:alpine pod with name scorpion, the ruinng container should not have privilege escalation enabled.

    Solution 

    # generate pod yaml
k run scorpion --image=nginx:alpine $dr > pod.yaml

# modify pod yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: scorpion
  name: scorpion
spec:
  containers:
  - image: nginx:alpine
    name: scorpion
    securityContext:
      allowPrivilegeEscalation: false # add this security context for container
  dnsPolicy: ClusterFirst
  restartPolicy: Always

# create the pod
k create -f pod.yaml

  3. Run an nginx:alpine pod with name proc, having net admin and sys time capabilities enabled.

    Solution 

    # generate pod yaml
k run proc --image=nginx:alpine $dr > pod.yaml

# modify pod yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: proc
  name: proc
spec:
  containers:
  - image: nginx:alpine
    name: proc
    securityContext:
      capabilities:
        add: ["SYS_TIME","NET_ADMIN"] # set the required capabilities
  dnsPolicy: ClusterFirst
  restartPolicy: Always

# create the pod
k create -f pod.yaml