Solve this question on: ssh cks8930
The Release Engineering Team has shared some YAML manifests and Dockerfiles with you to review. The files are located under /opt/course/22/files.
As a container security expert, you are asked to perform a manual static analysis and find out possible security issues with respect to unwanted credential exposure. Running processes as root is of no concern in this task.
Write the filenames which have issues into /opt/course/22/security-issues on cks8930.
First, let's check what files we need to analyze:
➜ ssh cks8930
➜ candidate@cks8930:~# ls -la /opt/course/22/files
-rw-r--r-- 1 candidate candidate 384 Sep 8 14:05 Dockerfile-go
-rw-r--r-- 1 candidate candidate 441 Sep 8 14:05 Dockerfile-mysql
-rw-r--r-- 1 candidate candidate 390 Sep 8 14:05 Dockerfile-py
-rw-r--r-- 1 candidate candidate 341 Sep 8 14:05 deployment-nginx.yaml
-rw-r--r-- 1 candidate candidate 723 Sep 8 14:05 deployment-redis.yaml
-rw-r--r-- 1 candidate candidate 529 Sep 8 14:05 pod-nginx.yaml
-rw-r--r-- 1 candidate candidate 228 Sep 8 14:05 pv-manual.yaml
-rw-r--r-- 1 candidate candidate 188 Sep 8 14:05 pvc-manual.yaml
-rw-r--r-- 1 candidate candidate 211 Sep 8 14:05 sc-local.yaml
-rw-r--r-- 1 candidate candidate 902 Sep 8 14:05 statefulset-nginx.yamlThe Dockerfile-mysql has a security issue with credential handling:
# cks8930:/opt/course/22/files/Dockerfile-mysql
FROM ubuntu
# Add MySQL configuration
COPY my.cnf /etc/mysql/conf.d/my.cnf
COPY mysqld_charset.cnf /etc/mysql/conf.d/mysqld_charset.cnf
RUN apt-get update && \
apt-get -yq install mysql-server-5.6 &&
# Add MySQL scripts
COPY import_sql.sh /import_sql.sh
COPY run.sh /run.sh
# Configure credentials
COPY secret-token . # LAYER X
RUN /etc/register.sh ./secret-token # LAYER Y
RUN rm ./secret-token # delete secret token again # LATER Z
EXPOSE 3306
CMD ["/run.sh"]Issue: Even though the secret-token is deleted in layer Z, it's still included in the image in layers X and Y. Docker layers are immutable, so the file remains accessible in the image history.
➜ candidate@cks8930:~# echo Dockerfile-mysql >> /opt/course/22/security-issuesThe deployment-redis.yaml has a security issue with credential exposure in logs:
# cks8930:/opt/course/22/files/deployment-redis.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: mycontainer
image: redis
command: ["/bin/sh"]
args:
- "-c"
- "echo $SECRET_USERNAME && echo $SECRET_PASSWORD && docker-entrypoint.sh" # NOT GOOD
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: passwordIssue: The container is echoing secret values to logs, which is a security risk as logs can be accessed by unauthorized users.
➜ candidate@cks8930:~# echo deployment-redis.yaml >> /opt/course/22/security-issuesThe statefulset-nginx.yaml has a security issue with hardcoded credentials:
# cks8930:/opt/course/22/files/statefulset-nginx.yaml
...
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
serviceName: "nginx"
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: k8s.gcr.io/nginx-slim:0.8
env:
- name: Username
value: Administrator
- name: Password
value: MyDiReCtP@sSw0rd # NOT GOOD
ports:
- containerPort: 80
name: web
..Issue: Credentials are hardcoded in the YAML file instead of being injected via Secrets.
➜ candidate@cks8930:~# echo statefulset-nginx.yaml >> /opt/course/22/security-issuesCheck the final list of files with security issues:
➜ candidate@cks8930:~# cat /opt/course/22/security-issues
Dockerfile-mysql
deployment-redis.yaml
statefulset-nginx.yaml