Scribd Logo
Upload

Welcome to Scribd!

  • 259 views

    Kubernetes CKAD Hands-On Challenge #11 Security Contexts

    Uploaded by

    Rpl Marseille
    The document describes a Kubernetes hands-on challenge involving security contexts. It provides a scenario with two containers sharing a volume. The tasks are to: 1) Create a file and check permissions between containers; 2) Add a pod-wide security context; 3) Override it for a container; 4) Prevent a container from deleting files. The solution creates and checks files with different users, demonstrating the effects of security contexts on file ownership and permissions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Kubernetes CKAD Hands-On Challenge #11 Security Contexts

    Uploaded by

    Rpl Marseille
    259 views11 pages
    The document describes a Kubernetes hands-on challenge involving security contexts. It provides a scenario with two containers sharing a volume. The tasks are to: 1) Create a file and check permissions between containers; 2) Add a pod-wide security context; 3) Override it for a container; 4) Prevent a container from deleting files. The solution creates and checks files with different users, demonstrating the effects of security contexts on file ownership and permissions.

    Original Title

    Kubernetes CKAD hands-on challenge #11 Security Contexts

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document describes a Kubernetes hands-on challenge involving security contexts. It provides a scenario with two containers sharing a volume. The tasks are to: 1) Create a file and check permissions between containers; 2) Add a pod-wide security context; 3) Override it for a container; 4) Prevent a container from deleting files. The solution creates and checks files with different users, demonstrating the effects of security contexts on file ownership and permissions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    259 views11 pages

    Kubernetes CKAD Hands-On Challenge #11 Security Contexts

    Uploaded by

    Rpl Marseille
    The document describes a Kubernetes hands-on challenge involving security contexts. It provides a scenario with two containers sharing a volume. The tasks are to: 1) Create a file and check permissions between containers; 2) Add a pod-wide security context; 3) Override it for a container; 4) Prevent a container from deleting files. The solution creates and checks files with different users, demonstrating the effects of security contexts on file ownership and permissions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 11

    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    Kubernetes CKAD hands-on challenge


    #11 Security Contexts
    Kim Wuestkamp Follow
    Oct 15, 2019 · 4 min read

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 1/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    It has been a while! But I wanted to create some more challenges, so let’s
    begin!

    ALL CHALLENGES AND TIPS

    Rules!
    1. be fast, avoid creating yaml manually from scratch

    2. use only kubernetes.io/docs for help.

    3. check my solution after you did yours. You probably have a better one!

    Be fast with Kubectl ≥ 1.18

    Scenario Setup

    apiVersion: v1
    kind: Pod
    metadata:
    creationTimestamp: null
    labels:
    run: bash

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 2/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    name: bash
    spec:
    volumes:
    - name: share
    emptyDir: {}
    containers:
    - command:
    - /bin/sh
    - -c
    - sleep 1d
    image: bash
    name: bash1
    volumeMounts:
    - name: share
    mountPath: /tmp/share
    - command:
    - /bin/sh
    - -c
    - sleep 1d
    image: bash
    name: bash2
    volumeMounts:
    - name: share
    mountPath: /tmp/share
    restartPolicy: Never

    We have one pod with two containers of image bash which share an
    emptyDir volume. Go get that pod running!

    Todays Task: Security Contexts

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 3/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    1. Log into container bash1 and create a file in the shared volume. View
    that file and its permissions via container bash2.

    2. Create a pod wide Security Context so that programs on all containers


    are run as user 21. Apply the changes and repeat step 1. Check file
    permissions and owner.

    3. Create a Security Context for container bash1 to run programs as root.


    Hence files should be created as root too. Repeat step 1. Check file
    permissions and owner. Try do delete the file container bash1 created
    from container bash2. Does it work?

    4. Prevent container bash2 with user 21 from removing files in the


    share based on linux permissions in a persisted (yaml) way.

    Solution
    # 1 Create file in shared volume

    alias k=kubectl

    k exec bash -c bash1 -- touch /tmp/share/file

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 4/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    k exec -it bash -c bash2 -- ls -lh /tmp/share/file

    # 2 Create Pod Wide SecurityContext


    Add the pod wide SecurityContext to the deployment.yaml :

    ...

    spec:
    securityContext:
    runAsUser: 21
    volumes:
    - name: share
    emptyDir: {}
    containers:
    ...

    Then run:

    k delete -f deployment.yaml

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 5/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    k create -f deployment.yaml

    k exec bash -c bash1 -- touch /tmp/share/file

    k exec bash -c bash2 -- ls -lh /tmp/share/file

    k exec bash -c bash1 -- whoami

    k exec bash -c bash2 -- whoami

    Both containers are running as user ftp (21).

    # 3 Create a container specific Security Context

    ...
    containers:
    - command:
    - /bin/sh
    - -c
    - sleep 1d
    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 6/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    image: bash
    name: bash1
    volumeMounts:
    - name: share
    mountPath: /tmp/share
    securityContext:
    runAsUser: 0
    ...

    So we override the pod scoped securityContext definition.

    k delete -f deployment.yaml

    k create -f deployment.yaml

    k exec bash -c bash1 -- touch /tmp/share/file

    k exec bash -c bash2 -- ls -lh /tmp/share/file

    k exec bash -c bash1 -- whoami

    k exec bash -c bash2 -- whoami

    k exec bash -c bash2 -- rm /tmp/share/file

    k exec bash -c bash2 -- find /tmp/share

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 7/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    File is gone! Crazy! Why?

    Seems because of parent folder permissions.

    # 4 Prevent container bash2 from removing volume files


    We could simply run chmod when container1 is up:

    ...

    containers:
    - command:

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 8/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    - /bin/sh
    - -c
    - chmod og-w -R /tmp/share && sleep 1d
    image: bash
    name: bash1
    ...

    But could there be a chance that container bash2 boots up a millisecond


    earlier and has write access for a short time? To be sure we could use an
    InitContainer which sets permissions. Here the whole file:

    Recap
    We played around a little with Security Contexts and filesystem permissions
    of volumes. There is more though!

    ALL CHALLENGES AND TIPS

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 9/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    More challenges on

    https://killer.sh

    Docker Ckad Kubernetes K8s Cka

    Discover Medium Make Medium yours Become a member


    Welcome to a place where words matter. Follow all the topics you care about, and Get unlimited access to the best stories
    On Medium, smart voices and original we’ll deliver the best stories for you to on Medium — and support writers while
    ideas take center stage - with no ads in your homepage and inbox. Explore you’re at it. Just $5/month. Upgrade
    sight. Watch

    About Help Legal


    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 10/11
    19/05/2020 Kubernetes CKAD hands-on challenge #11 Security Contexts

    https://codeburst.io/kubernetes-ckad-hands-on-challenge-11-security-contexts-bbe1289a422d 11/11

    You might also like