Kubernetes PSP (Pod Security Policy) using kubiscan about kubiscan HOT 27 CLOSED

yes that is OK, normally people should check pod under namespace, under kube-system it will give.

The features you should maintain under -pp

from kubiscan.

Put all PSP (Pod Security Policy) related things under -pp

from kubiscan.

It can be implemented but this is a new vector. The focus of KubiScan was to scan for risky permissions and how they affect the roles, bindings, users and pods.
We can add PSP but we need to understand what we want to get from it. Risky PSPs ? Like, PSPs that if someone will use them, it will create privileged containers? In such, case we can just go and search for privileged containers directly (by inspecting each Pod\container YAML).

from kubiscan.

PSP cover lots but if we focus below ..

Pods root privileges
Host PID access
Host network access
Host port access
Host volume access

I think that will be enough coverage in addition to risky pod.

from kubiscan.

Why not just check the configuration of each pod\container and check its security context?

from kubiscan.

Check when pod going to start/launch

from kubiscan.

I added an option to check the security context of pods and search for pods with security context of privileged, root user, dangerous capabilities and if the flag allow privilege escalation is set.

from kubiscan.

How to use?

Same risky pod (-rp) switch will give result along with ?

from kubiscan.

-pp

from kubiscan.

Its working fine but its not capturing hostnetwork.

If I mention pod defination hostNetwork: true or hostPort then its not capturing.

Basically usage of the hostPort is considered a privileged operation on OpenShift.

My target is it should capture below all

Host PID access
Host network access
Host port access
Host volume access

trying to make this tool compatible with all kubernetes flavor in including openshift.

from kubiscan.

I can see the Host PID and Host network fields in the PodSpec:
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#podspec-v1-core

Where the Host port should be find?

Regarding the volume access I will check it but maybe I have something that already does it l, this is the -psv switch that shows all the mounted volumes to the pods.
We also have the -pse that shows all the environment variables mounted to the pods.

from kubiscan.

hostport as use as follows ...

If hostPort setting applies to the Kubernetes containers. The container port will be exposed to the external network at :, where the hostIP is the IP address of the Kubernetes node where the container is running and the hostPort is the port requested by the user.

The hostPort feature allows to expose a single container port on the host IP. Using the hostPort to expose an application to the outside of the Kubernetes cluster and it has the some drawbacks, two containers using the same hostPort cannot be scheduled on the same node.

psv Show Pods that has access to the secret data through a Volume
and
pse Show Pods that has access to the secret data through a Environment.

I do not think it does any Host volume access

from kubiscan.

Regarding the hostPort, I don't understand why it is being considered as a privileged operation on OpenShift.
When we are talking about privileged containers, the idea is that if an attacker is inside the container, he has root privileged, high capabilities, break out to the host or control other containers.
An exposed port, just shows that exposed port of the container on the master. It doesn't mean you can do something interesting with this if I compare it to the other operations I mentioned.

from kubiscan.

It's a security whole, if somehow anyone use hostport in pod then that port is locked in that host where that container deployed.
Nobody can use that port and attacker can try to access cluster using hostport.

from kubiscan.

In PSP (Pod Security Policy) below link I think you capturing only "privileged" field.

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy

If you consider following field also then it will be more effective regarding privileged/risky pod

from kubiscan.

Yes, it sounds like a good suggestion.
I will check it and update.

from kubiscan.

Any update?

from kubiscan.

Added support to hostPID and hostIPC.
Regarding readOnlyRootFilesystem I saw that the default is false which indicates that you can write to the root filesystem.
As this is the default, it will make lots of "noise" because most of the pods will have this field set to false, don't you think ? We will get probably all the pods appeared as "privileged".

from kubiscan.

if someone use readOnlyRootFilesystem true then kubiscan should catch.

from kubiscan.

I did some tests with:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: alpine
spec:
  containers:
  - name: alpine
    image: alpine
    command: ["sleep 99d"]
    ports:
      - containerPort: 6666
        hostPort: 6666
  hostNetwork: true
  hostIPC: true
  hostPID: true
EOF

The hostNetwork field show more containers:

I guess I just need to check the allowedHostPath, I need to decide to what feature to add it (-psv or -pp).

from kubiscan.

I checked but what I noticed earlier -pp works with -n <namespace>

Now its show privileged pod under all namespace.

from kubiscan.

It now prints also the host paths which make it more "noisy":

Regarding the namespaces, if you not specify a namespace it will print for all the namespaces. Other option is to make that if you not specify a namespace it will print for the "default" namespace. But I think it is fine like that (prints for all the namespaces as default).

You can use namespaces, for example: kubiscan -pp -ns default:

from kubiscan.

Notice to use -ns instead of -n.
I created -ns for --namespaces because the -n was taken for --name.

from kubiscan.

It was my typo. But I always use -ns.

Tomorrow I will check & update you.

from kubiscan.

No twitter or linkedin?

from kubiscan.

OK, so contact me: Eviatar Gerzi

from kubiscan.

closing

from kubiscan.