CKS Exam Series #10 Container Hardening
Kubernetes CKS Example Exam Question Series

#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: Harden a given Docker Container
FROM ubuntu
RUN apt-get update
RUN apt-get -y install curl
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]
It’s a simple container which tries to make a curl call to an imaginary api, also passing a secret token.
- Use a specific version for the base image
- Curl should be at least version
7.67.0
(or any other version your base image contains) - Remove layer caching issues with
apt-get
- Remove the hardcoded secret value
2e064aad-3a90–4cde-ad86–16fad1f8943e
. The secret value should be passed into the container during runtime - Make it impossible to
docker exec
orkubectl exec
into the container usingbash
Solution
You should be familiar with the Docker Best Practices.
To build and run the container we can do:
docker build -t app . && docker run app
1. + 2. Specific Package Versions
FROM ubuntu:20.10
RUN apt-get update
RUN apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]
To find package versions you can run:
docker run app apt-cache show curl
3. Layer Caching
FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=2e064aad-3a90-4cde-ad86-16fad1f8943e"]
Every RUN line creates a new image layer. If update and install are in different lines it could be that the update-layer is outdated. More about this here: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
4. Secret as runtime Env variable
FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
CMD ["sh", "-c", "curl --head $URL=$SECRET"]
Then to run:
docker build -t app .docker run -e SECRET=2e064aad-3a90-4cde-ad86-16fad1f8943e app
5. Prevent Bash exec
(Instead of removing binaries it might be even better to start from a scratch container, only adding those binaries needed to run your app)
FROM ubuntu:20.10
RUN apt-get update && apt-get -y install curl>=7.67.0
ENV URL my-service-url.com?secret-token
RUN rm /usr/bin/bash
CMD ["sh", "-c", "curl --head $URL=$SECRET"]
Test it:
docker build -t appdocker run -d -e SECRET=2e064aad-3a90-4cde-ad86-16fad1f8943e app sleep 1d # run in backgrounddocker ps | grep appdocker exec -it 4a848daec2e2 bash # failsdocker exec -it 4a848daec2e2 sh # works
You have a different solution?
Let us know by writing a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE

…or the CKS SIMULATOR
