Sunday, September 15, 2019

Kubernetes Pod Security Policies



Start minikube with RBAC and admission-plugins enabled
$ minikube start --extra-config=apiserver.authorization-mode=Node,RBAC --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
# or
$ minikube start --extra-config=apiserver.authorization-mode=Node,RBAC --extra-config=apiserver.Admission.PluginNames=PodSecurityPolicy

These commands are not working on my Mac machine, looks like API Server issue as it is not accepting any requests (might not be up).

Create namespace and Service Account
$ kubectl create namespace praveend-psp kubectl create sa test-psp-sa -n praveend-psp

Policy definitions
$ cat praveend_psp.yaml apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: praveend-psp spec: privileged: false # Don't allow privileged pods! # The rest fills in some required fields. allowPrivilegeEscalation: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' $ cat clusterR.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: psp-test-cr rules: - apiGroups: [""] resources: ["podsecuritypolicies"] resourceNames: - praveend-psp verbs: - use $ cat clusterRB.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-admin-rb roleRef: kind: ClusterRole name: psp-test-cr apiGroup: rbac.authorization.k8s.io subjects: # Authorize specific service accounts: - kind: ServiceAccount name: test-psp-sa namespace: praveend-psp


Create PodSecurityPolicy, ClusterRole and ClusterRoleBinding. ClusterRoleBinding is between ClusterRole/Role and Service Account, User, Group ets.
$ kubectl create -f praveend_psp.yaml -n praveend-psp
 $ kubectl create -f clusterR.yaml -n praveend-psp 
$ kubectl create -f clusterRB.yaml -n praveend-psp

Check if we have proper authentication to create PodSecurityPolicy in praveend-psp namespace
$ kubectl auth can-i use podsecuritypolicy/praveend-psp -n praveend-psp

Create Pod in test-psp-minikube namespace
$ kubectl -n test-psp-minikube create -f- <


Create privileged Pod in praveend-psp namespace
$ kubectl -n test-psp-minikube delete -f- <true EOF


References
  1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
  2. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in
  3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/

3 comments:



  1. ☑️☑️COMPOSITE CYBER SECURITY SPECIALISTS ☑️☑️

    •• Are you Seeking for the Best Legit Professional Hackers online?
    Congratulations Your search ends right here with us. •• ⚡️⚡️

    ☑️☑️For Years Now We have Been helping companies secure there Infrastructures against malicious Attacks, however private individuals have been making use of our services to provide Optimum solutions to their cyber and Hacking related Issues by providing them unlimited Access to their desired informations from their Target such as Phone Hack (Which enables them to monitor their kids/wife/husband/boyfriend/girlfriend, by gaining access to everything they are doing on their phone without their notice), Credit Card Mishaps, Website Hacking, Funds Recoveries And Every Other Cyber Related Issues That has to Do With HACKING.

    ☑️☑️COMPOSITE CYBER SECURITY SPECIALISTS is a vibrant squad of dedicated online hackers maintaining the highest standards and unparalleled professionalism in every aspect.
    We Are One Of The Leading Hack Teams In The United States With So Much Accolades From The Deep Web And IT Companies. ••
    ••We Offer Varieties Of LEGIT Hacking Services With the Help Of Our Root HackTools, Special HackTools and Our Technical Hacking Strategies Which Surpasses All Other Hackers.

    ☑️ Below Is A Full List Of Our Services:
    ▪️ FUNDS RECOVERY ON SCAM INVESTMENTS, BINARY OPTIONS TRADING and ALL TYPES OF SCAMS.
    ▪️ WEBSITE AND DATABASE HACKING ­čĺ╗
    ▪️ CREDIT REPAIR. ­čĺ│
    ▪️ PHONE HACKING & CLONING (giving you ­čô▒ Unnoticeable access to everything Happening on the Target’s Phone)
    ▪️ CLEARING OF CRIMINAL RECORDS ❌
    ▪️ SOCIAL MEDIA ACCOUNTS HACKING ­čô▒
    ▪️RECOVERY OF DELETED FILES ­čôĄ
    ▪️LOCATION TRACKING ­čôî
    ▪️BITCOIN MINING ⛏ And lot More.


    ☑️We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record and have cracked even the toughest of barriers to intrude and capture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ DAWID CZAGAN⭐️ JACK CABLE ⭐️ SEAN MELIA ⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assign any of These Hackers To You Instantly.

    ☑️COMPOSITE CYBER SECURITY SPECIALISTS is available for customer care 24/7. Feel Free to Place your Requests.

    ☑️☑️CONTACT:
    ••• Email:
    composite.cybersecurity@protonmail.com

    ­čöś2020 © composite cybersecurity specialists
    ­čöśWant faster service? Contact us!
    ­čöśAll Rights Reserved ®️.

    ReplyDelete
  2. Are you interested in any kinds of hacking services?
    Feel free to contact TECHNECHHACKS.

    For years now we’ve helped so many organizations and companies in hacking services.
    TECHNECHHACKS is a team of certified hackers that has their own specialty and they are five star rated hackers.

    We give out jobs to hackers (gurus only) to those willing to work, with or without a degree, to speed up the availability of time given to jobs!!

    Thus an online binary decoding exam will be set for those who needs employment under the teams establishment.


    we deal with the total functioning of sites like,


    • SOCIAL MEDIA (Facebook, Twitter, Instagram, Snapchat, google hangout etc.)

    • SCHOOL GRADES

    • IOS/OS

    • CREDIT SCORES

    • BANK ACCOUNTS

    • SPOUSES PHONE

    Our special agents are five star rated agents that specializes in the following, and will specially be assigned to you for a special job well DONE.

    • WESTERN UNION TRANSFER

    • CREDIT CARDS INSTALLATION

    • MONEY FLIPPING

    • CRIMINAL RECORDS

    • BTC RECOVERY

    • BTC MINING

    • BTC INVESTMENT

    Thus bewere of scammers because most persons are been scammed and they ended up getting all solutions to their cyber bullies and attacks by US.

    I am Jason williams one of the leading hack agent.

    PURPOSE IS TO GET YOUR JOBS DONE AT EXACTLY NEEDED TIME REQUESTED!!!



    And our WORK SUCCESS IS 100%!!!



    We’re always available for you when you need help.

    Contact or write us on:

    Technechhacks@gmail.com

    SIGNED....!

    Jason. W

    TECHNECHHACKS
    2021©️All Right Reserved

    ReplyDelete
  3. Bitcoin nas─▒l al─▒n─▒r sorusunu soranlar, kripto para yat─▒r─▒mlar─▒nda ba┼čar─▒ i├žin yat─▒r─▒m yapacaklar─▒ kripto paralar─▒n gelecekteki teknolojik geli┼čmelere uyum sa─člayabilecek esnek ve adaptif yap─▒ya sahip oldu─čunu de─čerlendirmelidir. Bitcoin nas─▒l al─▒n─▒r ├Â─črenmek isteyenler, kripto para borsalar─▒nda ger├žekle┼čtirilen i┼člemler i├žin yat─▒r─▒m yapacaklar─▒ kripto paralar─▒n otoriteler taraf─▒ndan tan─▒nan ve kabul g├Âren d├╝zenlemelere uygun oldu─čunu kontrol etmelidir.

    ReplyDelete