Stack Overflow
Stack Overflow

Questions tagged [kubernetes-security]

Questions related to Kubernetes security: from deploying cluster securely to running secure workloads on it.

116 questions
0
votes
1 answer

Migrating from PSP to PSA

I’ve added the following labels to my namespace: pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/warn-version=latest All is fine and dandy but when i try to apply this Privileged…
Nopzen
  • 566
  • 2
  • 6
  • 19
0
votes
0 answers

trace and log commands executed in a k8s pod

I want to log all commands and subcommands executed in a k8s pod. This is possible, for example with auditbeat, on virtual machines. But I didn't find any useful tool or solution for k8s pods. I want to log all commands, for example if someone…
Michael Cab
  • 13
  • 5
0
votes
1 answer

AuthorizationPolicy configuration issue: JWT authentication not working within specified namespace

I'm currently facing an issue with the Istio AuthorizationPolicy configuration for JWT authentication. Our goal is to enable JWT authentication for traffic originating from outside the namespace, while allowing requests within the namespace to…
suman sourav
  • 1
  • 1
0
votes
1 answer

pods is forbidden: User tote-admin cannot list resource pods in API group at the cluster scope

I am creating a new user in my kubeadm kubernetes cluster named tote. so first I created a key: openssl genrsa -out tote.key 2048 Then I created a CSR: openssl req -new -key tote.key -subj "/CN=tote-admin" -out tote.csr Finally, I am following…
Khaled
  • 345
  • 5
  • 14
0
votes
0 answers

How to Manage UTM's Allow/Deny List for Kubernetes Outgoing Requests

we have a problem with designing our Kubernetes infrastructure and it would be a great help if I can have your opinion on the subject. based on the following Diagram, we have a traditional infrastructure with our services implemented in a simple…
Sajjad
  • 1
  • 1
0
votes
0 answers

Opentelemetry-operator running as root on Openshift/Kubernetes

I need this opentelemetry-operator to run as non-root on the /, https://github.com/open-telemetry/opentelemetry-operator/blob/main/autoinstrumentation/java/Dockerfile I need to change the permission as non-root /javaagent.jar, my pipeline is running…
uniwinux
  • 19
  • 5
0
votes
1 answer

Kubernetes Argo workflows are failing with psp-readonlyrootfilesystem error

I've the following argo workflow which has securityContext added. After running it, it's failing with ReadOnlyRootFileSystem error as mentioned below. Here is the workflow yaml. apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: …
dubru
  • 142
  • 10
0
votes
1 answer

how to disable user impersonation in kubernetes?

Is there a way to disable impersonation in Kubernetes for all admin/non Admin users? kubectl get pod --as user1 The above command should not provide answer due to security concerns. Thank you in advance.
farhad kazemipour
  • 3
  • 4
0
votes
0 answers

Why I cannot access host files from inside kubernetes pod? "permission denied" error

I would like to test a security vulnerability (attack scenario) in K8s cluster. As a privileged K8s user, I want to mount ~/.kube directory inside a pod in order to change/read K8s configurations and CA info. Or maybe any root directory on…
Mo Alkhodary
  • 51
  • 1
  • 8
0
votes
3 answers

system:node fails to get secrets from apiserver via curl

I'm doing some POC for security research, trying to access namespace secrets directly from a worker node. I have a cluster on GKE running Kubernetes 1.20 I'm running the following command from a worker (none-master) node: curl -v…
Mugen
  • 8,301
  • 10
  • 62
  • 140
0
votes
1 answer

Kubernetes service account with upgrade/patch permission to annotation of deployment

I want to create kubernetes service account and roles/rbac which will grant permission to patch/update annotations of deployment. service account should not able to perform any other update on kubernetes deployment. It should have upgrade and patch…
Akshay Gopani
  • 473
  • 4
  • 16
0
votes
1 answer

Kubernetes securityContext

I can't seem to understand why the below mentioned pod manifest isn't working if I remove spec.containers.command, the pod fails if I remove the command. I took this example from the official documentation apiVersion: v1 kind: Pod metadata: name:…
Viplove
  • 101
  • 2
  • 7
0
votes
1 answer

Unable to create deployment in a namespace with service account, ClusterRole and ClusterRolebinding created

I was getting my hands dirty practicing the Security k8s. This was a practice question I came across to solve. Question: Create serviceaccount 'john' with permissions to create delete get deployments, statefulsets, daemonsets in a given namespace…
haridurgempudi
  • 63
  • 6
0
votes
1 answer

With Helm 3 and K8s cluster w/RBAC (X509 certs), what permissions does Helm need? I think it creates ConfigMaps for release info?

I have setup my cluster (k3d) to have some RBAC rules and also created a certificate to identify my user for kubectl commands. I've set the user to have a Role via a RoleBinding in a specific namespace. I want to make it so they could create…
Don Rhummy
  • 24,730
  • 42
  • 175
  • 330
0
votes
1 answer

Checking PoDSecurityPolicy status in a GKE Cluster

How to check if PoDSecurityPolicy is enabled on a GKE cluster or not ? Using gcloud container clusters describe , I could not find anything. If I enable it on a cluster where this plugin is already enabled, it displays that the plugin…
Zama Ques
  • 1,497
  • 5
  • 26
  • 45
1 2 3 4 5
6
7 8