#2 Adds more sec ctx good practices

3-security-context/Readme.md

@@ -1,15 +1,18 @@
 # Security Context and Security Policy Demo
 
-![Clusters, Namespaces and Pods](http://www.plantuml.com/plantuml/svg/dP2nQWCn38PtFuMuGZE5qWP2nj12nXB8M3gebdgOEqk7hEDIIjwzlZH3iaQJ_Vdt_u6snT5yp7qeNP813JCaSRPlZ0o_0U0LOzUQZa9lsgl1myiALqJpYngnNUZpUhtPK3Y5go8qq-bSSllr9XGr3oeiVeSDOAVY5xOxprmUH8cXEN0SBVbFjOlpqU4HzeTzKpq1OAWYR6lg7JENUcDOJAcdvSJ55mtK5DJva3R9yVF__9LSCAUdQqOQExPb6KbdKksdi6MXkj8_)
+![Clusters, Namespaces and Pods](http://www.plantuml.com/plantuml/svg/bO-nQWCn38PtFuMvGZFTq0P2nj12nXB8M3gOatgOioKZoxsKSkzUEzoGZD5aFad_PnsoEj4IWycJf-J4HUj9KRxTWFRFMFlcXcaKBWJl75Ziq-lMRG5QXmLGLlgos-ttO1Pp4-H4UBw6tAtU3mqS4nEIFcnhzCYaApjUguKROa3RdN4eulMtsadnelRPdiwdhdhgOgeYDzQf3nSnftRjPlO1-XcpRZhRVbFhaqPFbw-RTryeYV_n0KU4jG4yJ2XzBi2DBCOive049OP_)
 
 You can choose between the interactive demo:
 
 ```bash
+cd demo
 ./interactive-demo.sh
 ```
+Note that the demo requires [bat](https://github.com/sharkdp/bat) for pretty printing the files.
 
-And a manual demo. To only print the commands just run:
+Alternatively, you could print a transcript of the demo for doing the demo manually
 
 ```bash
+cd demo
 PRINT_ONLY=true ./interactive-demo.sh
 ```

3-security-context/create-clusters.sh

@@ -3,24 +3,25 @@ set -o errexit -o nounset -o pipefail
 
 BASEDIR=$(dirname $0)
 ABSOLUTE_BASEDIR="$( cd ${BASEDIR} && pwd )"
+PSPDIR=${ABSOLUTE_BASEDIR}/../4-pod-security-policies/demo
 
 source ${ABSOLUTE_BASEDIR}/../config.sh
 source ${ABSOLUTE_BASEDIR}/../utils.sh
 
 
 function main() {
 
-    createCluster "${CLUSTER3}" "2" "--enable-pod-security-policy --enable-network-policy"
+    createCluster "${CLUSTER3}" "2" "--enable-pod-security-policy --enable-network-policy "
 
     # Become cluster admin, so we are authorized to create role for PSP
     becomeClusterAdmin
 
     # Make sure we're in a namespace that does not have any netpols
-    kubectl create namespace wild-west
+    kubectlIdempotent create namespace wild-west
     kubectl config set-context $(kubectl config current-context) --namespace=wild-west
 
     # Start with a privileged PSP. Makes sure deployments are allowed to create pods
-    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/psp-privileged.yaml
+    kubectl apply -f ${PSPDIR}/psp-privileged.yaml
     kubectl create role psp:privileged \
         --verb=use \
         --resource=podsecuritypolicy \
@@ -30,11 +31,18 @@ function main() {
         --serviceaccount=wild-west:default
 
     kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/02-deployment-run-as-non-root-unprivileged.yaml
-    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/04-deployment-allow-no-privilege-escalation.yaml
-    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/05-deployment-read-only-fs.yaml
-    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/06-deployment-nginx-read-only-fs.yaml
-    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/07-deployment-nginx-read-only-fs-empty-dirs.yaml
-    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/11-statefulset.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/03-deployment-run-as-user-unprivileged.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/05-deployment-allow-no-privilege-escalation.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/06-deployment-seccomp.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/07-deployment-run-without-caps.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/08-deployment-run-with-certain-caps.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/09-deployment-run-without-caps-unprivileged.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/10-deployment-read-only-fs.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/11-deployment-nginx-read-only-fs.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/12-deployment-nginx-read-only-fs-empty-dirs.yaml
+    kubectl apply -f ${ABSOLUTE_BASEDIR}/demo/13-deployment-all-at-once.yaml
+
+    kubectl apply -f ${PSPDIR}/11-statefulset.yaml
 }
 
 main "$@"

3-security-context/demo/03-deployment-run-as-user-unprivileged.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: run-as-user-unprivileged
+  name: run-as-user-unprivileged
+spec:
+  selector:
+    matchLabels:
+      run: run-as-user-unprivileged
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        run: run-as-user-unprivileged
+    spec:
+      containers:
+      - image: nginxinc/nginx-unprivileged:1.17.2
+        name: run-as-user-unprivileged
+        securityContext:
+          runAsUser: 100000
+          runAsGroup: 100000

3-security-context/demo/04-deployment-run-as-user.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: run-as-user
+  name: run-as-user
+spec:
+  selector:
+    matchLabels:
+      run: run-as-user
+  template:
+    metadata:
+      labels:
+        run: run-as-user
+    spec:
+      containers:
+      - image: nginx:1.17.2
+        name: run-as-user
+        securityContext:
+          runAsUser: 100000
+          runAsGroup: 100000

3-security-context/demo/06-deployment-seccomp.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: run-with-seccomp
+  name: run-with-seccomp
+spec:
+  selector:
+    matchLabels:
+      run: run-with-seccomp
+  template:
+    metadata:
+      labels:
+        run: run-with-seccomp
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: runtime/default
+    spec:
+      containers:
+      - image: nginx:1.17.2
+        name: run-with-seccomp

3-security-context/demo/07-deployment-run-without-caps.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: run-without-caps
+  name: run-without-caps
+spec:
+  selector:
+    matchLabels:
+      run: run-without-caps
+  template:
+    metadata:
+      labels:
+        run: run-without-caps
+    spec:
+      containers:
+      - image: nginx:1.17.2
+        name: run-without-caps
+        securityContext:
+          capabilities:
+            drop:
+              - ALL

3-security-context/demo/08-deployment-run-with-certain-caps.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: run-with-certain-caps
+  name: run-with-certain-caps
+spec:
+  selector:
+    matchLabels:
+      run: run-with-certain-caps
+  template:
+    metadata:
+      labels:
+        run: run-with-certain-caps
+    spec:
+      containers:
+      - image: nginx:1.17.2
+        name: run-with-certain-caps
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
+            add:
+              - CHOWN
+              - NET_BIND_SERVICE
+              - SETGID
+              - SETUID

3-security-context/demo/09-deployment-run-without-caps-unprivileged.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: run-without-caps-unprivileged
+  name: run-without-caps-unprivileged
+spec:
+  selector:
+    matchLabels:
+      run: run-without-caps-unprivileged
+  template:
+    metadata:
+      labels:
+        run: run-without-caps-unprivileged
+    spec:
+      containers:
+      - image: nginxinc/nginx-unprivileged:1.17.2
+        name: run-without-caps-unprivileged
+        securityContext:
+          capabilities:
+            drop:
+              - ALL

3-security-context/demo/13-deployment-all-at-once.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    run: all-at-once
+  name: all-at-once
+spec:
+  selector:
+    matchLabels:
+      run: all-at-once
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        run: all-at-once
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: runtime/default 
+    spec:
+      containers:
+          # Another suitable example springcommunity/spring-framework-petclinic:5.1.5
+        - image: nginxinc/nginx-unprivileged:1.17.2
+          name: all-at-once
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 100000
+            runAsGroup: 100000
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}