https://github.com/sysdiglabs/kube-psp-advisor

Help building an adaptive and fine-grained pod security policy
https://github.com/sysdiglabs/kube-psp-advisor

container-security kubernetes psp security-tools

Last synced: 3 months ago
JSON representation

Help building an adaptive and fine-grained pod security policy

• Host: GitHub
• URL: https://github.com/sysdiglabs/kube-psp-advisor
• Owner: sysdiglabs
• License: apache-2.0
• Created: 2019-02-03T18:18:17.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2023-10-11T21:18:59.000Z (about 1 year ago)
• Last Synced: 2024-05-20T10:54:03.160Z (6 months ago)
• Topics: container-security, kubernetes, psp, security-tools
• Language: Go
• Homepage:
• Size: 253 KB
• Stars: 328
• Watchers: 12
• Forks: 41
• Open Issues: 7
• Metadata Files:
  • Readme: README.MD
  • License: LICENSE

Awesome Lists containing this project

• awesome-k8s-security - Kube PodSecurityPolicy Advisor
• awesome-kubernetes-security - kube-psp-advisor - Help building an adaptive and fine-grained pod security policy (Open Source Projects)

README

        
# Kube PodSecurityPolicy Advisor

kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) or OPA Policy from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).

It has 2 subcommands, `kube-psp-advisor inspect` and `kube-psp-advisor convert`. `inspect` connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP or an OPA Policy based on the security context. `convert` works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP or OPA Policy based on the file.

## Installation as a Krew Plugin

Follow the [instructions](https://github.com/kubernetes-sigs/krew#installation) to install `krew`. Then run the following command:

```

kubectl krew install advise-psp

```

The plugin will be available as `kubectl advise-psp`.

## Build and Run locally

1. ```make build```

2. ```./kube-psp-advisor inspect``` to generate Pod Security Policy based on running cluster configuration

   - 2.1 ```./kube-psp-advisor inspect --report``` to print the details reports (why this PSP is recommended for the cluster)

   - 2.2 ```./kube-psp-advisor inspect --grant``` to print PSPs, roles and rolebindings for service accounts (refer to [psp-grant.yaml](./test-yaml/psp-grant.yaml))

   - 2.3 ```./kube-psp-advisor inspect --namespace=``` to print report or PSP(s) within a given namespace (default to all) 

   - 2.4 ```./kube-psp-advisor inspect --policy opa``` to generate OPA Policy based on running cluster configuration

   - 2.5 ```./kube-psp-advisor inspect --policy opa --deny-by-default``` to generate an OPA Policy, where OPA Default Rule is Deny ALL

4. ```./kube-psp-advisor convert --podFile  --pspFile ``` to generate a PSP from a single .yaml file.

   - 4.1 ```./kube-psp-advisor convert --podFile  --pspFile  --opa``` to generate an OPA Policy from a single .yaml file.

   - 4.2 ```./kube-psp-advisor convert --podFile  --pspFile  --opa --deny-by-default``` to generate an OPA Policy from a single .yaml file, where OPA Default Rule is Deny ALL.

    

## Build and Run as Container

1. ```docker build -t  -f container/Dockerfile .```

2. ```docker run -v ~/.kube:/root/.kube -v ~/.aws:/root/.aws ``` (the `.aws` folder mount is optional and totally depends on your clould provider)

## Use Cases

1. Help verify the deployment, daemonset settings in cluster and plan to reduce unnecessary privileges/resources

2. Apply Pod Security Policy or OPA policy to the target cluster

3. Using flag `--namespace=` with `--report` to debug and narrow down the security context per namespace

## Attributes Aggregated for Pod Security Policy

- allowPrivilegeEscalation

- allowedCapabilities

- allowedHostPaths

  - readOnly

- hostIPC

- hostNetwork

- hostPID

- privileged

- readOnlyRootFilesystem

- runAsUser

- runAsGroup

- Volume

- hostPorts

- allowedUnsafeSysctls

## Limitations

Some attributes(e.g. capabilities) required gathering runtime information in order to provide the followings:

- Least privilege (capabilities captured from runtime)

## High-level todo list

- [x] Basic functionalities;

- [ ] Create PSP's for common charts

- [x] Kubectl plugin

## Sample Pod Security Policy

Command: `./kube-psp-advisor inspect --namespace=psp-test`

```

apiVersion: policy/v1beta1

kind: PodSecurityPolicy

metadata:

  creationTimestamp: null

  name: pod-security-policy-20181130114734

spec:

  allowedCapabilities:

  - SYS_ADMIN

  - NET_ADMIN

  allowedHostPaths:

  - pathPrefix: /bin

  - pathPrefix: /tmp

  - pathPrefix: /usr/sbin

  - pathPrefix: /usr/bin

  fsGroup:

    rule: RunAsAny

  hostIPC: false

  hostNetwork: false

  hostPID: false

  privileged: true

  runAsUser:

    rule: RunAsAny

  seLinux:

    rule: RunAsAny

  supplementalGroups:

    rule: RunAsAny

  volumes:

  - hostPath

  - configMap

  - secret

  ```

## Sample Report

Command: `./kube-psp-advisor inspect --namespace=psp-test --report | jq .podSecuritySpecs`

```

{

  "hostIPC": [

    {

      "metadata": {

        "name": "busy-rs",

        "kind": "ReplicaSet"

      },

      "namespace": "psp-test",

      "hostPID": true,

      "hostNetwork": true,

      "hostIPC": true,

      "volumeTypes": [

        "configMap"

      ]

    },

    {

      "metadata": {

        "name": "busy-job",

        "kind": "Job"

      },

      "namespace": "psp-test",

      "hostIPC": true,

      "volumeTypes": [

        "hostPath"

      ],

      "mountedHostPath": [

        "/usr/bin"

      ]

    }

  ],

  "hostNetwork": [

    {

      "metadata": {

        "name": "busy-rs",

        "kind": "ReplicaSet"

      },

      "namespace": "psp-test",

      "hostPID": true,

      "hostNetwork": true,

      "hostIPC": true,

      "volumeTypes": [

        "configMap"

      ]

    },

    {

      "metadata": {

        "name": "busy-pod",

        "kind": "Pod"

      },

      "namespace": "psp-test",

      "hostNetwork": true,

      "volumeTypes": [

        "hostPath",

        "secret"

      ],

      "mountedHostPath": [

        "/usr/bin"

      ]

    }

  ],

  "hostPID": [

    {

      "metadata": {

        "name": "busy-deploy",

        "kind": "Deployment"

      },

      "namespace": "psp-test",

      "hostPID": true,

      "volumeTypes": [

        "hostPath"

      ],

      "mountedHostPath": [

        "/tmp"

      ]

    },

    {

      "metadata": {

        "name": "busy-rs",

        "kind": "ReplicaSet"

      },

      "namespace": "psp-test",

      "hostPID": true,

      "hostMetwork": true,

      "hostIPC": true,

      "volumeTypes": [

        "configMap"

      ]

    }

  ]

}

```

## Commercial

Generating PSPs based on runtime activity, simulating PSPs and managing different PSPs across Kubernetes namespaces can simplify the life of every Kubernetes operator.

Check out how Sysdig Secure can help - https://sysdig.com/blog/psp-in-production/