Kubernetes for Developers

Practical learning guide to Kubernetes
Chapter 12: Securing Kubernetes

12.3 Pod security context

View in the book. Buy the book.

Some Pods can request additional privledges

This won’t work in an Autopilot cluster, one of the additional security properties of Autopilot

kubectl create -f Chapter12/12.3_PodSecurityContext/admin-ds.yaml
Error from server (GKE Warden constraints violations): error when creating "Chapter12/12.3_PodSecurityContext/admin-ds.yaml": admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request because it violates one or more constraints.
Violations details: {"[denied by autogke-disallow-privilege]":["container admin-container is privileged; not allowed in Autopilot"]}
Requested by user: '[email protected]', groups: 'system:authenticated'.

If you run it in a GKE node-based cluster

$ kubectl create -f Chapter12/12.3_PodSecurityContext/admin-ds.yaml
daemonset.apps/admin-workload created

And exec into one of the Pods

$ kubectl get pods
NAME                   READY   STATUS    RESTARTS   AGE
admin-workload-65mpz   1/1     Running   0          10s
admin-workload-l5twl   1/1     Running   0          9s
admin-workload-sh8gd   1/1     Running   0          9s
~/kubernetes-for-developers$ kubectl exec -it admin-workload-65mpz -- bash

You can perform privledged operations like mounting the root filesystem

root@admin-workload-65mpz:/# df
Filesystem     1K-blocks    Used Available Use% Mounted on
overlay         98831908 3954368  94861156   5% /
tmpfs              65536       0     65536   0% /dev
/dev/sda1       98831908 3954368  94861156   5% /etc/hosts
shm                65536       0     65536   0% /dev/shm
tmpfs            2877096      12   2877084   1% /run/secrets/kubernetes.io/serviceaccount
root@admin-workload-65mpz:/# mkdir /tmp/host
root@admin-workload-65mpz:/# mount /dev/sda1 /tmp/host
root@admin-workload-65mpz:/# cd /tmp/host
root@admin-workload-65mpz:/tmp/host# ls
dev_image  etc  home  lost+found  var  var_overlay  vmlinuz_hd.vblock
root@admin-workload-65mpz:/tmp/host#

By contrast, the following Pod has no such privledges

If you attempt to mount the host disk here, you will get an error like “special device /dev/sda1 does not exist.”

$ kubectl create -f Chapter12/12.3_PodSecurityContext/pod.yaml
pod/ubuntu created

$ kubectl exec -it ubuntu -- bash
I have no name!@ubuntu:/$ df
Filesystem     1K-blocks    Used Available Use% Mounted on
overlay         98831908 4096440  94719084   5% /
tmpfs              65536       0     65536   0% /dev
/dev/sda1       98831908 4096440  94719084   5% /etc/hosts
shm                65536       0     65536   0% /dev/shm
tmpfs            2877096      12   2877084   1% /run/secrets/kubernetes.io/serviceaccount
tmpfs            2011476       0   2011476   0% /proc/acpi
tmpfs            2011476       0   2011476   0% /proc/scsi
tmpfs            2011476       0   2011476   0% /sys/firmware
I have no name!@ubuntu:/$ mkdir /tmp/host
I have no name!@ubuntu:/$ mount /dev/sda1 /tmp/host
mount: /tmp/host: special device /dev/sda1 does not exist.
I have no name!@ubuntu:/$