Solution (Step by Step) :
1. create a PSPI
- Define a PSP that restricts the use of privileged containers and capabilities, except for the capability for pods in the 'production' namespace.

2. Create a PSP Binding: - Bind the PSP to the 'production' namespace-

3. Create a Pod: - Create a Pod in the 'production' namespace and specify the 'securitycontext' with the 'NET_ADMIN' capability.

4. Apply the YAML files: - Apply the created YAML files using 'kubectl apply -f 5. Verify the permissions: - Try to create a Pod in other namespaces with the 'NET_ADMIN' capability. It should be rejected.

SeetheExplanationbelowExplanation:

Solution (Step by Step):
1. Define Pod Security Policies:
- Create separate PSPs for each team with different security constraints:
- Resource Limits: Limit the resources each team's pods can request (CPU, memory).
- Capabilities: Restrict specific capabilities like ' SYS_ADMIN' or 'NET_ADMIN'
- Security Context: Control the user and group IDs, privileged escalation, and SELinux labels for pods.
- Volume Types: Allow only specific types of volumes (e.g., emptyDir, hostPath, persistentV01umeClaim).
- Example PSP for Team A:

2. Apply PSPs to Teams: - Use 'kubectl apply -f team-a-psp.yaml' to apply the PSP for Team A. - Create and apply similar PSPs for other teams. - Apply these PSPs as admission controllers in your cluster to enforce them on all pods. 3. Configure Network Policies: - Define network policies to control communication between pods within different teams: - Ingress Policy: Control whicn pods can initiate connections to pods in otner teams. - Egress Policy: Control which pods can receive connections from pods in other teams. - Example Network Policy for Team A:

4. Apply Network Policies: - Use ' kubectl apply -f team-a-policy-yamp to apply the policy for Team A. - Create and apply similar policies for other teams. Result: - These PSPs and network policies enforce isolation between teams, limiting their access to resources and preventing unauthorized communication. - Teams can deploy their applications within their defined policies, minimizing the risk of cross-team vulnerabilities. - This approach ensures a secure and isolated environment for multi-tenant deployments.

To add a Kubernetes cluster to your project, group, or instance:
Navigate to your:
Project's Operations > Kubernetes page, for a project-level cluster.
Group's Kubernetes page, for a group-level cluster.
Admin Area > Kubernetes page, for an instance-level cluster.
Click Add Kubernetes cluster.
Click the Add existing cluster tab and fill in the details:
Kubernetes cluster name (required) - The name you wish to give the cluster.
Environment scope (required) - The associated environment to this cluster.
API URL (required) - It's the URL that GitLab uses to access the Kubernetes API. Kubernetes exposes several APIs, we want the "base" URL that is common to all of them. For example, https://kubernetes.example.com rather than https://kubernetes.example.com/api/v1.
Get the API URL by running this command:
kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '/http/ {print $NF}' CA certificate (required) - A valid Kubernetes certificate is needed to authenticate to the cluster. We use the certificate created by default.
List the secrets with kubectl get secrets, and one should be named similar to default-token-xxxxx. Copy that token name for use below.
Get the certificate by running this command:
kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}"

$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ ssh node01 [node01@cli] $ vim /etc/falco/falco_rules.yaml search for Container Drift Detected & paste in falco_rules.local.yaml [node01@cli] $ vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $ vim /etc/falco/falco.yaml