1a8fb44b78
* first pass * fix up homepage * more work * housekeeping * add script to modify home link * add check docs * build docs site * Create CNAME * fix path to check-docs * update from template * fix logo in readme * fix link * remove logspam * remove old folders * fix all links * fix up readme * change up Insights description * add customization docs * phrasing * title * titles * titles * change webhook docs * refresh template * rebuild site * refresh from template repo * phrasing * add tagline * update readme\, add readme sync script * fix logo * rebuild * fix readme script * rebuild
3.4 KiB
Security
These checks are related to security concerns. Workloads that fail these checks may make your cluster more vulnerable, often by introducing a path for privilege escalation.
| key | default | description |
|---|---|---|
security.hostIPCSet |
danger |
Fails when hostIPC attribute is configured. |
security.hostPIDSet |
danger |
Fails when hostPID attribute is configured. |
security.notReadOnlyRootFilesystem |
warning |
Fails when securityContext.readOnlyRootFilesystem is not true. |
security.privilegeEscalationAllowed |
danger |
Fails when securityContext.allowPrivilegeEscalation is true. |
security.runAsRootAllowed |
warning |
Fails when securityContext.runAsNonRoot is not true. |
security.runAsPrivileged |
danger |
Fails when securityContext.privileged is true. |
security.insecureCapabilities |
warning |
Fails when securityContext.capabilities includes one of the capabilities listed here |
security.dangerousCapabilities |
danger |
Fails when securityContext.capabilities includes one of the capabilities listed here |
security.hostNetworkSet |
warning |
Fails when hostNetwork attribute is configured. |
security.hostPortSet |
warning |
Fails when hostPort attribute is configured. |
Background
Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers with a root user, not giving excessive access to the host network, and using read only file systems wherever possible.
A pod running with the hostNetwork attribute enabled will have access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. There are certain examples where setting hostNetwork to true is required, such as deploying a networking plugin like Flannel.
Setting the hostPort attribute on a container will ensure that it is accessible on that specific port on each node it is deployed to. Unfortunately when this is specified, it limits where a pod can actually be scheduled in a cluster.
Much of this configuration can be found in the securityContext attribute for both Kubernetes pods and containers. Where configuration is available at both a pod and container level, Polaris validates both.
Further Reading
- Kubernetes Docs: Configure a Security Context for a Pod or Container
- KubeCon 2018 Keynote: Running with Scissors
- Kubernetes Security Book
- Kubernetes Docs: Set capabilities for a Container
- Linux Programmer's Manual: Capabilities
- Kubernetes Docs: Configuration Best Practices
- Accessing Kubernetes Pods from Outside of the Cluster