# securityContext
## 驗證 allowPrivilegeEscalation
* 它可以防止 container 內的子程序獲得比其父程序更多的權限
```
$ echo 'apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
securityContext: # 這邊是全域宣告,代表這裡有多少 container 都會宣告這個設定
runAsUser: 1000
containers:
- image: quay.io/cloudwalker/alp.kadm
name: test
tty: true
securityContext:
allowPrivilegeEscalation: false' | kubectl apply -f -
$ kubectl get po
NAME READY STATUS RESTARTS AGE
test-6b77d94ff4-bd8vs 1/1 Running 0 119s
$ kubectl exec -it test-6b77d94ff4-bd8vs -- bash
$ whoami
bigred
# 不允許使用者以 sudo 身分執行任何命令
$ sudo touch /test
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
$ sudo su
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
```
## privileged
* 先建立 `privileged: true` 權限的 pod
```
$ echo 'apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
securityContext:
runAsUser: 1000
containers:
- image: quay.io/cloudwalker/alp.kadm
name: test
tty: true
securityContext:
privileged: true' | kubectl apply -f -
```
```
$ kubectl get po
NAME READY STATUS RESTARTS AGE
test-7665f7bc97-j92t4 1/1 Running 0 39s
$ kubectl exec -it test-7665f7bc97-j92t4 -- bash
```
* 檢查目前有哪些能力
```
$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(bigred) euid=1000(bigred)
gid=10(wheel)
groups=10(wheel)
Guessed mode: HYBRID (4)
```
* 改改權限 `privileged: false`
```
$ echo 'apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
securityContext:
runAsUser: 1000
containers:
- image: quay.io/cloudwalker/alp.kadm
name: test
tty: true
securityContext:
privileged: false' | kubectl apply -f -
```
```
$ kubectl get po
NAME READY STATUS RESTARTS AGE
test-5d7886bdb6-jx858 1/1 Running 0 40s
$ kubectl exec -it test-5d7886bdb6-jx858 -- bash
```
* 此時檢查已經被拿掉非常多的 capabilities
```
# Current IAB 以下這些有有驚嘆號代表都是不可用的 capabilities
$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(bigred) euid=1000(bigred)
gid=10(wheel)
groups=10(wheel)
Guessed mode: HYBRID (4)
```
## 示範拿掉所有 capabilities 且無法使用 sudo 提權
```
$ echo 'apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
securityContext:
runAsUser: 1000
containers:
- image: quay.io/cloudwalker/alp.kadm
name: test
tty: true
securityContext:
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL' | kubectl apply -f -
```
```
$ kubectl get po
NAME READY STATUS RESTARTS AGE
test-54b45668df-2nn97 1/1 Running 0 48s
$ kubectl exec -it test-54b45668df-2nn97 -- bash
```
```
$ capsh --print
Current: =
Bounding set =
Ambient set =
Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=1)
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=1000(bigred) euid=1000(bigred)
gid=10(wheel)
groups=10(wheel)
Guessed mode: HYBRID (4)
$ sudo su
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
```
## 參考文件
https://www.golinuxcloud.com/kubernetes-privileged-pod-examples/
Sign in with Wallet
Connect another wallet