Create a PSP that will prevent the creation of privileged pods in the namespace.
$ cat clusterrole-use-privileged.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: use-privileged-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: privileged-role-bind
namespace: psp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: use-privileged-psp
subjects:
- kind: ServiceAccount
name: privileged-sa
$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
After a few moments, the privileged Pod should be created.
Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
And create it with kubectl:
kubectl-admin create -f example-psp.yaml
Now, as the unprivileged user, try to create a simple pod:
kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
The output is similar to this:
Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden: unable to validate against any pod security policy: [] Create a new ServiceAccount named psp-sa in the namespace default.
$ cat clusterrole-use-privileged.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: use-privileged-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: privileged-role-bind
namespace: psp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: use-privileged-psp
subjects:
- kind: ServiceAccount
name: privileged-sa
$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
After a few moments, the privileged Pod should be created.
Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
And create it with kubectl:
kubectl-admin create -f example-psp.yaml
Now, as the unprivileged user, try to create a simple pod:
kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
The output is similar to this:
Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden: unable to validate against any pod security policy: [] Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.io apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]

Solution (Step by Step) :
1. Define Security Context Constraints (SCCs):
- Create a new SCC resource. Here's an example for a restrictive SCC named "restricted-scc"'

2. Apply the SCC to Deployments: - Add a 'securitycontext' section to your Deployment resources to apply the SCC- Here's an example:

3. Test and Evaluate: - After deploying with the SCC, test the deployment and verify that the pod is created with the expected security restrictions. - Use 'kubectl get pods -l app=my-apps to verify the pod's status and Its security context. Key Security Constraints in the Example: - 'allowPriviIegeEscaIation: false': Prevents containers from escalating their privileges. - 'readOnIyRootFiIesystem: true': Prevents modification of the root filesystem, reducing the risk of malicious code tampering. - 'privileged: false: Disallows running containers with root privileges, mitigating security risks. - 'volumes': Restricts the types of volumes that can be used, limiting access to sensitive data or resources. Deployment Scenario: - For critical services handling sensitive data, use a highly restrictive SCC like the one provided. - For less critical services, you might need a more permissive SCC. - You can create different SCCs for different levels of security requirements and apply them accordingly. Important Notes: - Always test your SCCs thoroughly before implementing them in production environments. - Regularly review and update your SCCs to ensure they remain effective and in line with your security best practices. - Consider using Kubernetes security scanning tools to identifiy potential vulnerabilities in your deployments and SCC configurations.

Solution (Step by Step) :
1 . Identify Allowed IP Addresses: Determine the specific IP addresses that should be allowed to access the Kubernetes API server. For example, you might allow access from your local machine's IP address (e.g., 192.168.1.100), and the IP addresses of any bastion hosts that are used for remote management.
2. Modify the 'kube-apiserver' Configuration:
- Locate the 'kube-apjserver' configuration file (typically found at "etc/kubernetestmanifests/kube-apiserver.yaml or similar).
- In tne 'kube-apiserver' configuration file, find tne '--insecure-bind-address' flag.
- Set the '--insecure-bind-address' flag to '0.0.0.0' to allow access from all IP addresses.

3. Restart 'kube-apiserver': Apply the updated configuration file. Depending on how the Kubernetes cluster is deployed, you may need to restart the 'kube-apisepver' pod or container. 4. Verify the Configuration: - After restarting 'kube-apiservers , test that you can access the API server from the allowed IP addresses. - Test from any disallowed IP addresses to confirm access is blocked.

Solution (Step by Step) :
1. Enable Kubernetes Audit Logging:
- Configure your Kubernetes cluster to generate audit logs. This involves enabling the 'audit' feature in the 'kube-apiserver' configuration and specifying the desired level of audit logging (e.g., 'Metadata', 'Request' , 'RequestResponse').
2. Define Audit Policies:
- Create audit policies to filter and prioritize the audit events you want to capture. For example, define a policy to audit all container image pulls and API requests related to specific resources.

3. Deploy Sysdig: - Install and configure Sysdig on your Kubernetes cluster Sysdig is a powerful container runtime security tool that provides real-time monitoring and threat detection capabilities. 4. Configure Sysdig Rules: - Create custom rules in Sysdig to detect suspicious activity within containers. These rules can be based on specific events, file access patterns, network connections, and other indicators of compromise.

5. Integrate with Logging and Monitoring Systems: - Integrate Sysdig with your existing logging and monitoring tools (e.g., ELK stack, Prometheus) to centralize and analyze security events. 6. Review and Analyze Logs: - Regularly review the audit logs and Sysdig alerts to identify any potential security threats. - Investigate suspicious events to understand the root cause and take appropriate actions.