Closed prasenforu closed 4 years ago
It can be implemented but this is a new vector. The focus of KubiScan was to scan for risky permissions and how they affect the roles, bindings, users and pods. We can add PSP but we need to understand what we want to get from it. Risky PSPs ? Like, PSPs that if someone will use them, it will create privileged containers? In such, case we can just go and search for privileged containers directly (by inspecting each Pod\container YAML).
PSP cover lots but if we focus below ..
Pods root privileges Host PID access Host network access Host port access Host volume access
I think that will be enough coverage in addition to risky pod.
Why not just check the configuration of each pod\container and check its security context?
Check when pod going to start/launch
I added an option to check the security context of pods and search for pods with security context of privileged
, root user, dangerous capabilities and if the flag allow privilege escalation is set.
How to use?
Same risky pod (-rp) switch will give result along with ?
-pp
Its working fine but its not capturing hostnetwork.
If I mention pod defination hostNetwork: true
or hostPort
then its not capturing.
Basically usage of the hostPort is considered a privileged operation on OpenShift.
My target is it should capture below all
Host PID access Host network access Host port access Host volume access
trying to make this tool compatible with all kubernetes flavor in including openshift.
I can see the Host PID and Host network fields in the PodSpec: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#podspec-v1-core
Where the Host port should be find?
Regarding the volume access I will check it but maybe I have something that already does it l, this is the -psv
switch that shows all the mounted volumes to the pods.
We also have the -pse
that shows all the environment variables mounted to the pods.
hostport
as use as follows ...
If hostPort
setting applies to the Kubernetes containers. The container port will be exposed to the external network at
The hostPort feature allows to expose a single container port on the host IP. Using the hostPort to expose an application to the outside of the Kubernetes cluster and it has the some drawbacks, two containers using the same hostPort cannot be scheduled on the same node.
psv
Show Pods that has access to the secret data through a Volume
and
pse
Show Pods that has access to the secret data through a Environment.
I do not think it does any Host volume access
Regarding the hostPort
, I don't understand why it is being considered as a privileged operation on OpenShift.
When we are talking about privileged containers, the idea is that if an attacker is inside the container, he has root privileged, high capabilities, break out to the host or control other containers.
An exposed port, just shows that exposed port of the container on the master. It doesn't mean you can do something interesting with this if I compare it to the other operations I mentioned.
It's a security whole, if somehow anyone use hostport in pod then that port is locked in that host where that container deployed. Nobody can use that port and attacker can try to access cluster using hostport.
In PSP (Pod Security Policy) below link I think you capturing only "privileged" field.
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
If you consider following field also then it will be more effective regarding privileged/risky pod
Yes, it sounds like a good suggestion. I will check it and update.
Any update?
Added support to hostPID
and hostIPC
.
Regarding readOnlyRootFilesystem
I saw that the default is false
which indicates that you can write to the root filesystem.
As this is the default, it will make lots of "noise" because most of the pods will have this field set to false, don't you think ? We will get probably all the pods appeared as "privileged".
if someone use readOnlyRootFilesystem
true
then kubiscan should catch.
I did some tests with:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: alpine
spec:
containers:
- name: alpine
image: alpine
command: ["sleep 99d"]
ports:
- containerPort: 6666
hostPort: 6666
hostNetwork: true
hostIPC: true
hostPID: true
EOF
The hostNetwork
field show more containers:
I guess I just need to check the allowedHostPath
, I need to decide to what feature to add it (-psv
or -pp
).
yes that is OK, normally people should check pod under namespace, under kube-system
it will give.
The features you should maintain under -pp
Put all PSP (Pod Security Policy) related things under -pp
I checked but what I noticed earlier -pp
works with -n <namespace>
Now its show privileged pod under all namespace.
It now prints also the host paths which make it more "noisy":
Regarding the namespaces, if you not specify a namespace it will print for all the namespaces. Other option is to make that if you not specify a namespace it will print for the "default" namespace. But I think it is fine like that (prints for all the namespaces as default).
You can use namespaces, for example: kubiscan -pp -ns default
:
Notice to use -ns
instead of -n
.
I created -ns
for --namespaces
because the -n
was taken for --name
.
It was my typo. But I always use -ns.
Tomorrow I will check & update you.
No twitter or linkedin?
OK, so contact me: Eviatar Gerzi
closing
In my last discussion we discussed about risky pod. In this context if you think kubernetes PSP (Pod Security Policy) can be implemented along with kubiscan that will be great as a part of enhancement.