ContainerSecurity Logo
DKS
Black Forest Shadow/Chapter 23
Chapter 23
2 min read

Battle of Sonnenwacht

Secure by Design

Angra wins not by strength, but by exploiting weaknesses in the defenders' design. YAML, who was supposed to be the guard, opened the door for the enemy.

Angra wins not by strength, but by exploiting weaknesses in the defenders' design.
YAML, who was supposed to be the guard, opened the door for the enemy.

It's the same with your YAML configurations and infrastructure as code. If misconfigured, they can open the door to attackers.

Here are some best practices to ensure your systems are secure by design:

  • Use secure defaults: Start with the most restrictive settings and only open up what is necessary.
  • Implement the principle of the least privilege: Ensure that users and services have only the permissions they need to perform their tasks.
  • Pod Security Standards: There are three predefined Pod Security Standards in Kubernetes: Privileged, Baseline, and Restricted. Use the Restricted profile for production workloads to minimize security risks and only allow necessary capabilities.
  • Drop unnecessary capabilities: Docker containers run with a default set of Linux capabilities. You can drop all capabilities and only add back the ones you need using the cap_drop and cap_add options in your Docker Compose or Kubernetes manifests.

Pod Security Standards Example

apiVersion: v1
kind: Namespace
metadata:
  name: default
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: restricted

Here, the default namespace is configured to enforce the Baseline Pod Security Standard and audit against the Restricted standard. This means that any pods created in this namespace must comply with the Baseline standard, and any violations of the Restricted standard will be logged for auditing purposes.

Dropping Unnecessary Capabilities Example

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      capabilities:
        drop: ["ALL"]
        add: ["NET_ADMIN"]

In this example, the Nginx container drops all Linux capabilities and only adds back the NET_ADMIN capability, which is necessary for network administration tasks.

Exercise

  1. Learn about the different Pod Security Standards (Privileged, Baseline, Restricted) and determine which one is appropriate for your production workloads. Implement the appropriate standard in your Kubernetes namespaces.
  2. Identify any unnecessary Linux capabilities in your container configurations and drop them to minimize the attack surface of your containers. Use the cap_drop and cap_add options to configure the capabilities for your containers.