CKS Exam Series #10 Container Hardening
Kubernetes CKS Example Exam Question Series
#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: Harden a given Docker Container
FROM ubuntu
RUN apt-get update
RUN apt-get -y install curl
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]It’s a simple container which tries to make a curl call to an imaginary api, also passing a secret token.
- Use a specific version for the base image
- Curl should be at least version
7.67.0(or any other version your base image contains) - Remove layer caching issues with
apt-get - Remove the hardcoded secret value
2e064aad-3a90–4cde-ad86–16fad1f8943e. The secret value should be passed into the container during runtime - Make it impossible to
docker execorkubectl execinto the container usingbash
Solution
You should be familiar with the Docker Best Practices.
To build and run the container we can do:
docker build -t app . && docker run app1. + 2. Specific Package Versions
FROM ubuntu:20.10
RUN apt-get update
RUN apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]To find package versions you can run:
docker run app apt-cache show curl3. Layer Caching
FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]Every RUN line creates a new image layer. If update and install are in different lines it could be that the update-layer is outdated. More about this here: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
4. Secret as runtime Env variable
FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=$SECRET"]Then to run:
docker build -t app .docker run -e SECRET=2e064aad-3a90-4cde-ad86-16fad1f8943e app
5. Prevent Bash exec
(Instead of removing binaries it might be even better to start from a scratch container, only adding those binaries needed to run your app)
FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
RUN rm /usr/bin/bash
CMD ["sh", "-c", "curl --head $URL=$SECRET"]Test it:
docker build -t appdocker run -d -e SECRET=2e064aad-3a90-4cde-ad86-16fad1f8943e app sleep 1d # run in backgrounddocker ps | grep appdocker exec -it 4a848daec2e2 bash # failsdocker exec -it 4a848daec2e2 sh # works
You have a different solution?
Let us know by writing a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE
…or the CKS SIMULATOR
