Security Context
Tips and Tricks
For simulated Practice problems visit KillerCoda.
-
create a
busyboxpod, namedbiin which security context for user is set as500and800for group. Run commadsleep 3600in the pod.Solution
# generate pod yaml k run bi --image=busybox --dry-run=client -o yaml > pod.yaml # modify pod yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: bi name: bi spec: securityContext: runAsUser: 500 runAsGroup: 800 containers: - image: busybox name: bi command: ["sleep","3600"] resources: {} dnsPolicy: ClusterFirst restartPolicy: Always # create the pod k create -f pod.yaml # check security context values k exec bi -ti -- id
-
Run an
nginx:alpinepod with namescorpion, the ruinng container should not have privilege escalation enabled.Solution
# generate pod yaml k run scorpion --image=nginx:alpine $dr > pod.yaml # modify pod yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: scorpion name: scorpion spec: containers: - image: nginx:alpine name: scorpion securityContext: allowPrivilegeEscalation: false # add this security context for container dnsPolicy: ClusterFirst restartPolicy: Always # create the pod k create -f pod.yaml
-
Solution
# generate pod yaml k run proc --image=nginx:alpine $dr > pod.yaml # modify pod yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: proc name: proc spec: containers: - image: nginx:alpine name: proc securityContext: capabilities: add: ["SYS_TIME","NET_ADMIN"] # set the required capabilities dnsPolicy: ClusterFirst restartPolicy: Always # create the pod k create -f pod.yaml