Professional Documents
Culture Documents
Experience
Topics && Tips
© Learn with GVR
Who Iam I
Venkata Ramana Gali
- Senior Cloud DevOps Engineer/Architect
https://www.linkedin.com/in/venkataramanagali
https://www.youtube.com/channel/UCwopwnnBoKMOUEOl6lefM0w/videos
https://github.com/ramanagali
Refer: https://downloads.cisecurity.org/#/
Create PSP
Kube-APIServer level…
--enable-admission-plugins=NodeRestriction,PodSecurityPolicy
• Kube-APIServer level…
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
- --admission-control-config-file
=/etc/kubernetes/xyz/admission_configuration.json
© Learn with GVR
4. Audit Policy
• YAML File to capture events of API Calls
Priority: EMERGENCY/ALERT/CRITICAL/ERROR/WARNING/NOTICE/INFO/DEBUG
Kubernetes cluster
Systemctl restart falco
cd /var/log/pods/
ls -l
cd kube-system_kube-apiserver-controlplane_xxx/kube-apiserver
tail -f 1.log
From where you want to allow? If its blank then Deny all
From which CIDR you want to allow?
Except which CIDR (filter) ?
IMPORTENT: if YAML is specified as…
From what Namespace you want to allow ? > List then OR condition
> If not then AND condition
From which Pod you want to allow traffic?
Incoming Policy on what Port of Pod?
To where you want to allow outgoing? If its blank then Deny all
To which CIDR you want to allow outgoing?
© Learn with GVR
Outgoing Policy on what Port of Pod?
2. RBAC
Create Profile
apparmor_parser /given/path/file
aa-status | grep profile_name
Create Profile
Verify Pod
Kubernetes cluster
Install gVisor/kata
Create RunTimeClass
Verify Pod
Kubernetes cluster
Container1
securityContext
privileged: true
runAsUser: 0
allowPrivilegeEscalation:
true
readOnlyRootFilesystem: true