Measures

To minimize the risks associated with privileged processes in Kubernetes pods, the following best practices should be implemented:

Pod Security Standards (PSS) are a set of predefined security policies designed to enforce best practices in Kubernetes clusters. PSS operates at the namespace or cluster level, ensuring that workloads adhere to specific security guidelines. The three levels of PSS are:

1. Privileged:

   • Least restrictive policy.

   • Typically used for trusted workloads, such as infrastructure-level tasks managed by cluster administrators.

2. Baseline:

   • A balanced approach between usability and security.

   • Prevents known privilege escalations while allowing most workloads to function without significant changes.

3. Restricted:

   • Most restrictive policy.

   • Enforces strict security configurations, such as disabling privilege escalation and requiring the use of non-root users.

These policies are enforced using the Pod Security Admission (PSA) controller, which validates pod specifications during creation and updates. PSA is available by default in Kubernetes 1.23 and later versions.

PSS can be applied at different scopes to suit organizational needs:

1. Cluster-Level Enforcement: Use the AdmissionConfiguration resource to set default security policies for the entire cluster. For example:

   apiVersion: apiserver.config.k8s.io/v1
   kind: AdmissionConfiguration
   plugins:
   - name: PodSecurity
     configuration:
       apiVersion: pod-security.admission.config.k8s.io/v1
       kind: PodSecurityConfiguration
       defaults:
         enforce: "baseline"
         enforce-version: "latest"
         audit: "restricted"
         audit-version: "latest"
         warn: "restricted"
         warn-version: "latest"
       exemptions:
         namespaces: ["kube-system"]

2. Namespace-Level Enforcement: Apply specific policies to namespaces using labels. For instance, to enforce the "restricted" policy:

   kubectl label --overwrite namespace my-namespace \
     pod-security.kubernetes.io/enforce=restricted \
     pod-security.kubernetes.io/audit=restricted \
     pod-security.kubernetes.io/warn=restricted

1. Drop All Capabilities by Default: Minimize unnecessary privileges by dropping all Linux capabilities unless explicitly required. Example:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: restricted-app
   spec:
     template:
       spec:
         containers:
         - name: app-container
           image: app:latest
           securityContext:
             capabilities:
               drop:
                 - ALL

2. Restrict Privilege Escalation: Prevent privilege escalation within pods by setting allowPrivilegeEscalation to false:

   securityContext:
     allowPrivilegeEscalation: false

3. Run as Non-Root: Configure pods to run containers as non-root users to reduce attack surface:

   securityContext:
     runAsNonRoot: true
     runAsUser: 1000

4. Enable Seccomp Profiles: Use Seccomp profiles to restrict system calls that containers can make:

   securityContext:
     seccompProfile:
       type: RuntimeDefault

Before deploying workloads, ensure that they comply with the enforced PSS policies. For example, if a namespace enforces the "restricted" policy, deploying a pod with privilege escalation enabled will result in a validation error.

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Pod
metadata:
  name: test-pod
  namespace: restricted-namespace
spec:
  containers:
  - name: test-container
    image: nginx:latest
    securityContext:
      allowPrivilegeEscalation: true
EOF

The above command will fail, showing violations against the "restricted" policy.

For more granular control at the pod level, consider using tools like:

1. Kyverno: Kubernetes-native policy management tool.

2. Open Policy Agent (OPA) with Gatekeeper: Extends Kubernetes policy enforcement capabilities.