diff --git a/day-028/README.md b/day-028/README.md new file mode 100644 index 0000000..6cc0991 --- /dev/null +++ b/day-028/README.md @@ -0,0 +1,127 @@ +# Day 28: Pod Security Admission + +## THE IDEA: +This lab will show you how to: + +1. Enable PSA on a namespace +2. Attempt to deploy a non-compliant pod +3. Modify the pod to comply with the `restricted` profile + +## THE SETUP: + +A cluster running Kubernetes v1.25 or above. + +## WHAT I LEARNED: +Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. +Pod security restrictions are applied at the namespace level when pods are created. + +## WHY IT MATTERS: +Kubernetes can block risky workloads before they run, using the native PSA โ€” no 3rd party tools needed! +Good for quick, standard security posture enforcement. + +TRY IT: +๐Ÿงช Interactive Lab: https://killercoda.com/chadmcrowell/course/kubeskills-daily/day-028 + +--- + +### โœ… **Step 1: Create a namespace with PSA labels** + +PSA is enforced via labels on the namespace. + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: psa-lab + labels: + pod-security.kubernetes.io/enforce: "restricted" + pod-security.kubernetes.io/enforce-version: "latest" +``` + +Apply it: + +```bash +kubectl apply -f namespace.yaml +``` + +--- + +### ๐Ÿšซ **Step 2: Try deploying a non-compliant privileged Pod** + +This pod will violate the `restricted` policy because it uses `privileged: true`. + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: privileged-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + privileged: true +``` + +Try applying it: + +```bash +kubectl apply -f privileged-pod.yaml +``` + +๐Ÿ”’ You should see an error like this: + +``` +Error from server (Forbidden): error when creating "privileged-pod.yaml": pods "privileged-pod" is forbidden: violates PodSecurity "restricted:latest": privileged (container "ubuntu" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "ubuntu" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ubuntu" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ubuntu" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "ubuntu" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") +``` + +--- + +### โœ… **Step 3: Fix the pod to comply with `restricted`** + +Update the pod to meet the requirements: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: restricted-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault +``` + +Apply it: + +```bash +kubectl apply -f restricted-pod.yaml +``` + +โœ… This time, it should deploy successfully. + +```bash +pod/restricted-pod created +``` + +--- + +### โœ… **Step 4: Cleanup** + +To cleanup the environment, run the following command: + +```bash +kubectl apply -f namespace.yaml +``` diff --git a/day-028/manifests/namespace.yaml b/day-028/manifests/namespace.yaml new file mode 100644 index 0000000..caa97fa --- /dev/null +++ b/day-028/manifests/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: psa-lab + labels: + pod-security.kubernetes.io/enforce: "restricted" + pod-security.kubernetes.io/enforce-version: "latest" diff --git a/day-028/manifests/privileged-pod.yaml b/day-028/manifests/privileged-pod.yaml new file mode 100644 index 0000000..0be4c36 --- /dev/null +++ b/day-028/manifests/privileged-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + privileged: true diff --git a/day-028/manifests/restricted-pod.yaml b/day-028/manifests/restricted-pod.yaml new file mode 100644 index 0000000..a4ab3ec --- /dev/null +++ b/day-028/manifests/restricted-pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restricted-pod + namespace: psa-lab +spec: + containers: + - name: ubuntu + image: ubuntu@sha256:6015f66923d7afbc53558d7ccffd325d43b4e249f41a6e93eef074c9505d2233 + command: [ "sh", "-c", "sleep 1h" ] + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault