-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcase3
149 lines (141 loc) · 7.39 KB
/
case3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
serviceAccountName- nginx
sccType-custom
scc-hostmount-anyuid-nginx
scc hostPath plugin- enabled
scc hostPath Volume allowed- enabled
seLinuxOptions type in pod manifest? - container_logreader_t
process type- container_logreader_t
can access /var/log/- yes
can access /etc/ - no
=============================================================================
output reference:
# # ps -Z 3777354
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:container_logreader_t:s0:c40,c777 3777354 ? Ss 0:00 tail -f /var/log/audit/audit.log
$ $ oc get pod nginx-deployment-759764d567-kb2cr -o yaml | grep scc
openshift.io/scc: restricted-v2-nginx
$ oc logs nginx-deployment-759764d567-kb2cr -c sidecar
cat: can't open '/etc/hostname': Permission denied
Sat Jul 15 01:56:45 UTC 2023
Sat Jul 15 02:02:26 UTC 2023
=====/var/log/pods output=====
2023-07-18T18:57:06.528951756+00:00 stderr F 10.128.0.2 - - [2023-07-18 18:57:04] "GET /health HTTP/1.1" 200 117 0.000656
2023-07-18T18:57:06.528951756+00:00 stderr F WARNING:kube_ops_view.kubernetes:Failed to query node metrics 172-30-0-1:443: 404 Not Found
=====tail output======
type=MAC_POLICY_LOAD msg=audit(1689905199.010:104509): auid=4294967295 ses=4294967295 lsm=selinux res=1AUID="unset"
type=SYSCALL msg=audit(1689905199.010:104509): arch=c000003e syscall=1 success=yes exit=8930835 a0=4 a1=7fd22560c000 a2=884613 a3=0 items=0 ppid=3775681 pid=3776481 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:spc_t:s0:c641,c914 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
$ oc exec -it nginx-deployment-759764d567-kb2cr -c sidecar -- touch /var/log/delete
touch: /var/log/delete: Read-only file system
command terminated with exit code 1
=============================================================================
Observation: pod can only read audit logs and any other files within /var/log with container_logreader_t type but cannot access host's /etc directory.
=============================================================================
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 1 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
serviceAccountName: restricted-v2-nginx
containers:
- name: nginx
image: quay.io/rh_ee_raravi/nginx:1.14.2
ports:
- containerPort: 80
securityContext:
seLinuxOptions:
type: logsample-seprofile_logsample.process
#privileged: true
args: [/bin/sh, -c, 'while true; do echo $(date) >> /var/log/date.log; sleep 1; done']
#args: [/bin/sh, -c, 'while true; do rm /var/log/date.log; touch /var/log/date.log; echo $(date) >> /var/log/date.log; sleep 1; done']
volumeMounts:
- name: varlog
mountPath: /var/log
- name: sidecar
image: quay.io/rh_ee_raravi/busybox:latest
command: ["/bin/sh", "-c"]
args: ["cat /etc/hostname; head -2 /var/log/date.log; echo '=====/var/log/pods output====='; head -2 /var/log/pods/ocp-ops-view_kube-ops-view-*/service/0.log; echo '=====tail output======'; tail -f /var/log/audit/audit.log;"]
#args: [/bin/sh, -c, 'cat /etc/passwd']
volumeMounts:
- name: etcdir
mountPath: /etc
readOnly: true
- name: varlog
mountPath: /var/log
readOnly: true
securityContext:
seLinuxOptions:
type: container_logreader_t
volumes:
- name: varlog
hostPath:
path: /var/log
type: Directory
- name: etcdir
hostPath:
path: /etc
type: Directory
$ oc get scc restricted-v2-nginx -o yaml
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
kubectl.kubernetes.io/last-applied-configuration: |
{"allowHostDirVolumePlugin":true,"allowHostIPC":false,"allowHostNetwork":false,"allowHostPID":false,"allowHostPorts":false,"allowPrivilegeEscalation":false,"allowPrivilegedContainer":false,"allowedCapabilities":["NET_BIND_SERVICE"],"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"MustRunAs"},"groups":[],"kind":"SecurityContextConstraints","metadata":{"annotations":{"include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true","include.release.openshift.io/single-node-developer":"true","kubernetes.io/description":"restricted-v2 denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC and it is used by default for authenticated users. On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities and does not allow privilege escalation binaries. It will also default the seccomp profile to runtime/default if unset, otherwise this seccomp profile is required."},"creationTimestamp":"2023-03-03T20:30:50Z","generation":1,"name":"restricted-v2-nginx","ownerReferences":[{"apiVersion":"config.openshift.io/v1","kind":"ClusterVersion","name":"version","uid":"c91ec6a6-6a35-456f-8c69-0fb4b52bb3f1"}],"resourceVersion":"1766","uid":"01d13437-b5ba-414d-be79-ae33d997c01a"},"priority":null,"readOnlyRootFilesystem":false,"requiredDropCapabilities":["ALL"],"runAsUser":{"type":"MustRunAsRange"},"seLinuxContext":{"type":"RunAsAny"},"seccompProfiles":["runtime/default"],"supplementalGroups":{"type":"RunAsAny"},"users":[],"volumes":["configMap","downwardAPI","secret","hostPath"]}
kubernetes.io/description: restricted-v2 denies access to all host features and
requires pods to be run with a UID, and SELinux context that are allocated to
the namespace. This is the most restrictive SCC and it is used by default for
authenticated users. On top of the legacy 'restricted' SCC, it also requires
to drop ALL capabilities and does not allow privilege escalation binaries. It
will also default the seccomp profile to runtime/default if unset, otherwise
this seccomp profile is required.
creationTimestamp: "2023-07-21T01:43:24Z"
generation: 5
name: restricted-v2-nginx
ownerReferences:
- apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: c91ec6a6-6a35-456f-8c69-0fb4b52bb3f1
resourceVersion: "42852016"
uid: 5a284e9d-0f53-48e9-ae24-a121879a182b
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
seccompProfiles:
- runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- hostPath
- secret