Kubernetes PSP (Pod Security Policy) using kubiscan

[prasenforu]

In my last discussion we discussed about risky pod. In this context if you think kubernetes PSP (Pod Security Policy) can be implemented along with kubiscan that will be great as a part of enhancement.

[g3rzi]

It can be implemented but this is a new vector. The focus of KubiScan was to scan for risky permissions and how they affect the roles, bindings, users and pods. We can add PSP but we need to understand what we want to get from it. Risky PSPs ? Like, PSPs that if someone will use them, it will create privileged containers? In such, case we can just go and search for privileged containers directly (by inspecting each Pod\container YAML).

[prasenforu]

PSP cover lots but if we focus below ..

Pods root privileges Host PID access Host network access Host port access Host volume access

I think that will be enough coverage in addition to risky pod.

[g3rzi]

Why not just check the configuration of each pod\container and check its security context?

[prasenforu]

Check when pod going to start/launch

[g3rzi]

I added an option to check the security context of pods and search for pods with security context of privileged, root user, dangerous capabilities and if the flag allow privilege escalation is set.

[prasenforu]

How to use?

Same risky pod (-rp) switch will give result along with ?

[g3rzi]

-pp

[prasenforu]

Its working fine but its not capturing hostnetwork.

If I mention pod defination hostNetwork: true or hostPort then its not capturing.

Basically usage of the hostPort is considered a privileged operation on OpenShift.

My target is it should capture below all

Host PID access Host network access Host port access Host volume access

trying to make this tool compatible with all kubernetes flavor in including openshift.

[g3rzi]

I can see the Host PID and Host network fields in the PodSpec: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#podspec-v1-core

Where the Host port should be find?

Regarding the volume access I will check it but maybe I have something that already does it l, this is the -psv switch that shows all the mounted volumes to the pods. We also have the -pse that shows all the environment variables mounted to the pods.

[prasenforu]

hostport as use as follows ...

If hostPort setting applies to the Kubernetes containers. The container port will be exposed to the external network at :, where the hostIP is the IP address of the Kubernetes node where the container is running and the hostPort is the port requested by the user.

The hostPort feature allows to expose a single container port on the host IP. Using the hostPort to expose an application to the outside of the Kubernetes cluster and it has the some drawbacks, two containers using the same hostPort cannot be scheduled on the same node.

psv Show Pods that has access to the secret data through a Volume and pse Show Pods that has access to the secret data through a Environment.

I do not think it does any Host volume access

[g3rzi]

Regarding the hostPort, I don't understand why it is being considered as a privileged operation on OpenShift. When we are talking about privileged containers, the idea is that if an attacker is inside the container, he has root privileged, high capabilities, break out to the host or control other containers. An exposed port, just shows that exposed port of the container on the master. It doesn't mean you can do something interesting with this if I compare it to the other operations I mentioned.

[prasenforu]

It's a security whole, if somehow anyone use hostport in pod then that port is locked in that host where that container deployed. Nobody can use that port and attacker can try to access cluster using hostport.

[prasenforu]

In PSP (Pod Security Policy) below link I think you capturing only "privileged" field.

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy

If you consider following field also then it will be more effective regarding privileged/risky pod

[g3rzi]

Yes, it sounds like a good suggestion. I will check it and update.

[prasenforu]

Any update?

[g3rzi]

Added support to hostPID and hostIPC. Regarding readOnlyRootFilesystem I saw that the default is false which indicates that you can write to the root filesystem. As this is the default, it will make lots of "noise" because most of the pods will have this field set to false, don't you think ? We will get probably all the pods appeared as "privileged".

[prasenforu]

if someone use readOnlyRootFilesystem true then kubiscan should catch.

[g3rzi]

I did some tests with:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: alpine
spec:
  containers:
  - name: alpine
    image: alpine
    command: ["sleep 99d"]
    ports:
      - containerPort: 6666
        hostPort: 6666
  hostNetwork: true
  hostIPC: true
  hostPID: true
EOF

The hostNetwork field show more containers:

I guess I just need to check the allowedHostPath, I need to decide to what feature to add it (-psv or -pp).

[prasenforu]

yes that is OK, normally people should check pod under namespace, under kube-system it will give.

The features you should maintain under -pp

[prasenforu]

Put all PSP (Pod Security Policy) related things under -pp

[prasenforu]

I checked but what I noticed earlier -pp works with -n <namespace>

Now its show privileged pod under all namespace.

[g3rzi]

It now prints also the host paths which make it more "noisy":

Regarding the namespaces, if you not specify a namespace it will print for all the namespaces. Other option is to make that if you not specify a namespace it will print for the "default" namespace. But I think it is fine like that (prints for all the namespaces as default).

You can use namespaces, for example: kubiscan -pp -ns default:

[g3rzi]

Notice to use -ns instead of -n. I created -ns for --namespaces because the -n was taken for --name.

[prasenforu]

It was my typo. But I always use -ns.

Tomorrow I will check & update you.

[g3rzi]

No twitter or linkedin?

[g3rzi]

OK, so contact me: Eviatar Gerzi

[prasenforu]

closing