Question 4: Pod Security Standard

Problem Statement

Solve this question on: ssh cks7262

There is Deployment container-host-hacker in Namespace team-red which mounts /run/containerd as a hostPath volume on the Node where it's running. This means that the Pod can access various data about other containers running on the same Node.

To prevent this:

  1. Configure Namespace team-red to enforce the baseline Pod Security Standard.
  2. Delete the Pod of the Deployment mentioned above.
  3. Check the ReplicaSet events and write the event/log lines containing the reason why the Pod isn't recreated into /opt/course/4/logs on cks7262.

Solution

Step 1: Configure Pod Security Standard

Edit the Namespace to add the required label:

➜ ssh cks7262
➜ candidate@cks7262:~# k edit ns team-red

Add the baseline Pod Security Standard label:

# kubectl edit namespace team-red
apiVersion: v1
kind: Namespace
metadata:
  labels:
    kubernetes.io/metadata.name: team-red
    pod-security.kubernetes.io/enforce: baseline # add
  name: team-red
...

Alternatively, you can set the label using kubectl:

kubectl label ns team-red pod-security.kubernetes.io/enforce=baseline
Step 2: Delete the Pod
➜ candidate@cks7262:~# k -n team-red get pod
NAME                                    READY   STATUS    RESTARTS   AGE
container-host-hacker-dbf989777-wm8fc   1/1     Running   0          115s

➜ candidate@cks7262:~# k -n team-red delete pod container-host-hacker-dbf989777-wm8fc --force --grace-period 0
pod "container-host-hacker-dbf989777-wm8fc" deleted

➜ candidate@cks7262:~# k -n team-red get pod
No resources found in team-red namespace.
Step 3: Check ReplicaSet Events
➜ candidate@cks7262:~# k -n team-red get rs
NAME                              DESIRED   CURRENT   READY   AGE
container-host-hacker-dbf989777   1         0         0       5m25s

➜ candidate@cks7262:~# k -n team-red describe rs container-host-hacker-dbf989777
Name:           container-host-hacker-dbf989777
Namespace:      team-red
...
Events:
  Type     Reason            Age                   From                   Message
  ----     ------            ----                  ----                   -------
...
  Warning  FailedCreate  78s                replicaset-controller  Error creating: pods "container-host-hacker-dbf989777-x5v5t" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "containerdata")
  Warning  FailedCreate  39s (x7 over 77s)  replicaset-controller  (combined from similar events): Error creating: pods "container-host-hacker-dbf989777-64q6p" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "containerdata")
Step 4: Save the Logs
# cks7262:/opt/course/4/logs
Warning  FailedCreate      2m2s (x9 over 2m40s)  replicaset-controller  (combined from similar events): Error creating: pods "container-host-hacker-dbf989777-kjfpn" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "containerdata")
Pod Security Standards provide a great base level of security, but for more granular control, consider using third-party solutions like OPA or Kyverno.
Back to Questions List