OPA OPA OPA stands for Open Policy Agent. Policy-based control for cloud native environments. Official Installation 1 2 3 export OPA_VERSION=v0.27.1 curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_amd64 chmod 755 ./opa 1 ./opa run -s & Test Policy 1 ./opa test <rego-file-name> View Policies 1 curl http://localhost:8181/v1/policies Load Policy 1 2 # Structure curl -X PUT --data-binary @<rego-policy-file-name> http://localhost:8181/v1/policies/<policy-name> 1 2 # Example curl -X PUT --data-binary @sample.rego http://localhost:8181/v1/policies/samplepolicy Unload Policy 1 curl -X DELETE http://localhost:8181/v1/policies/<policy-name> 1 curl -X DELETE http://localhost:8181/v1/policies/samplepolicy OPA Default Information Default Port Language 8181 Rego

Kubernetes API Process Admission Controllers Controller AlwaysPullImages DefaultStorageClass EventRateLimit NamespaceExists NamespaceAutoProvision Many more… View Enabled Admission Controllers 1 kubectl -n kube-system exec kube-apiserver-controlplane -- kube-apiserver -h | grep enable-admission-plugins Configuration Admission Controllers /etc/kubernetes/manifests/kube-apiserver.yaml Config --enable-admission-plugins=NodeRestriction --disable-admission-plugins=DefaultStorageClass 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 apiVersion: v1 kind: Pod metadata: annotations: kubeadm.

Linux Capabilities Kernel < 2.2 Kernel >= 2.2 Linux Capabilities Get Capabilities Binary 1 getcap /usr/bin/ping 1 /usr/bin/ping = cap_net_raw+ep PID 1 ps -ef | grep /usr/sbin/sshd | grep –v grep 1 root 779 1 0 03:55 ? 00:00:00 /usr/sbin/sshd -D 1 getpcaps 779 1 2 capabilities for `779': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid ,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_n et_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chr oot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resourc e,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control, cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,c ap_audit_read+ep Kubernetes Definition 1 2 3 4 5 6 7 8 9 10 11 12 13 apiVersion: v1 kind: Pod metadata: name: ubuntu-sleeper spec: containers: - name: ubuntu-sleeper image: ubuntu command: [ "sleep", "1000" ] securityContext: capabilities: add: [ "SYS_TIME" ] drop: [ "CHOWN" ]

AppArmor in Kubernetes Kubernetes Version > 1.4 AppArmor Kernel Module Enabled AppArmor Profile Loaded in the Kernel Container Runtime should be Supported Definition AppArmor container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/<profile-name> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: nginx name: nginx annotations: container.apparmor.security.beta.kubernetes.io/nginx: localhost/custom-nginx spec: containers: - image: 'nginx:alpine' name: nginx volumeMounts: - mountPath: /usr/share/nginx/html name: test-volume volumes: - name: test-volume hostPath: path: /data/pages type: Directory

AppArmor AppArmor Linux kernel security module Status 1 systemctl status apparmor 1 2 3 4 5 6 7 8 ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2021-07-06 06:31:44 UTC; 6min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 317 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4678) CGroup: /system.slice/apparmor.service Check Enabled 1 cat /sys/module/apparmor/parameters/enabled 1 Y Check Profiles 1 cat /sys/kernel/security/apparmor/profiles 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 /usr/{sbin/traceroute,bin/traceroute.

Check Seccomp in Docker 1 docker run r.j3ss.co/amicontained amicontained 1 2 3 4 5 6 7 8 9 10 11 Container Runtime: docker Has Namespaces: pid: true user: false AppArmor Profile: unconfined Capabilities: BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap Seccomp: filtering Blocked Syscalls (61): MSGRCV SYSLOG SETPGID SETSID USELIB USTAT SYSFS VHANGUP PIVOT_ROOT _SYSCTL ACCT SETTIMEOFDAY MOUNT UMOUNT2 SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE GET_KERNEL_SYMS QUERY_MODULE QUOTACTL NFSSERVCTL GETPMSG PUTPMSG AFS_SYSCALL TUXCALL SECURITY LOOKUP_DCOOKIE CLOCK_SETTIME VSERVER MBIND SET_MEMPOLICY GET_MEMPOLICY KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL MIGRATE_PAGES UNSHARE MOVE_PAGES PERF_EVENT_OPEN FANOTIFY_INIT NAME_TO_HANDLE_AT OPEN_BY_HANDLE_AT SETNS PROCESS_VM_READV PROCESS_VM_WRITEV KCMP FINIT_MODULE KEXEC_FILE_LOAD BPF USERFAULTFD PKEY_MPROTECT PKEY_ALLOC PKEY_FREE Looking for Docker.