ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #10 Container Hardening

Kim Wuestkamp
ITNEXT
Published in
3 min readMar 7, 2021

--

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: Harden a given Docker Container

FROM ubuntu
RUN apt-get update
RUN apt-get -y install curl
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]

It’s a simple container which tries to make a curl call to an imaginary api, also passing a secret token.

  1. Use a specific version for the base image
  2. Curl should be at least version 7.67.0 (or any other version your base image contains)
  3. Remove layer caching issues with apt-get
  4. Remove the hardcoded secret value 2e064aad-3a90–4cde-ad86–16fad1f8943e. The secret value should be passed into the container during runtime
  5. Make it impossible to docker exec or kubectl exec into the container using bash

Solution

You should be familiar with the Docker Best Practices.

To build and run the container we can do:

docker build -t app . && docker run app

1. + 2. Specific Package Versions

FROM ubuntu:20.10
RUN apt-get update
RUN apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]

To find package versions you can run:

docker run app apt-cache show curl

3. Layer Caching

FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]

Every RUN line creates a new image layer. If update and install are in different lines it could be that the update-layer is outdated. More about this here: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run

4. Secret as runtime Env variable

FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=$SECRET"]

Then to run:

docker build -t app .docker run -e SECRET=2e064aad-3a90-4cde-ad86-16fad1f8943e app

5. Prevent Bash exec

(Instead of removing binaries it might be even better to start from a scratch container, only adding those binaries needed to run your app)

FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
RUN rm /usr/bin/bash
CMD ["sh", "-c", "curl --head $URL=$SECRET"]

Test it:

docker build -t appdocker run -d -e SECRET=2e064aad-3a90-4cde-ad86-16fad1f8943e app sleep 1d # run in backgrounddocker ps | grep appdocker exec -it 4a848daec2e2 bash # failsdocker exec -it 4a848daec2e2 sh # works

You have a different solution?

Let us know by writing a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Published in ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Written by Kim Wuestkamp

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Responses (3)

Write a response