minikube kubeconfig

Posted by Manish Panchmatia on Thursday, December 16, 2021 Labels: , , / Comments: (0)

  • from .kube/config file, extract  cluster.certificate-authority-data| base64 -d > ca.crt

openssl x509 -in ca.crt -text -noout > ca.crt.decode

From ca.crt.decode:

Issuer: CN = minikubeCA

Subject: CN = minikubeCA

  • from .kube/config file, extract  user.user. client-certificate-data | base64 -d > client.crt

openssl x509 -in client.crt -text -noout > client.crt.decode

From client.crt.decode

Issuer: CN = minikubeCA

Subject: O = system:masters, CN = kubernetes-admin

CKS Tips

Posted by Manish Panchmatia on Thursday, December 9, 2021 Labels: , , / Comments: (0)

1. Shortcut 

export do="--dry-run=client -o yaml"    # k get pod x $do
export now="--force --grace-period 0"   # k delete pod x $now
alias kn="k -n "namespace name""

2. VIM related

2.1 edit ~/.vimrc

set ts=2
set et
set sw=2
set nu

2.2 To search in vi "/var/lib"

We should issue comman
/\/var\/lib

Here \ is used as special character 

2.3 To change last word of line

use "$" to go end of line
then move one word back using "b"
then "cw" to change word.
If needed use "c$" to remove and replace till end of line. 

3. How to create pod, without YAML

kubectl run nginx --image=nginx  --dry-run=client -o yaml > pod.yaml

4.If we have file with name a.txt and its sha512. then steps:

1. first create and open file a.txt.sha512
2. enter value of sha512
3. add two times space
4. add file name. here it is a.txt
5. close a.txt.sha512 file
6. run command: sha512sum -c a.txt.sha512

5. OPA and gatekeeper. We can list constraint with 

k get constraint
NAME                                                           AGE
blacklistimages.constraints.gatekeeper.sh/pod-trusted-images   10m
requiredlabels.constraints.gatekeeper.sh/namespace-mandatory-labels   10m

Now, Here first part is constraint template and second part is constraint. So we can edit / view constraint 

k get blacklistimages pod-trusted-images -o yaml
k get requiredlabels namespace-mandatory-labels  -o yaml

To get template

k get constrainttemplate

Instead of typing such long spelling, easy way

1. k get crd
Then copy paste
2. k get constrainttemplates.templates.gatekeeper.sh

6. To find image

k get po -o=custom-columns=Image:"spec.containers[*].image"

k get po -o=custom-columns=Name:"metadata.name",Image:"spec.containers[0].image"

7. Useful command to set namespace

kubectl config set-context --current --namespace="namespace"

8. To install appArmor profile, we shall use
sudo apparmor_parser -q

sudo apparmot_status
will provide list of all profiles: loaded, complain mode, enforce mode
9. Mount secret as volume

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
      readOnly: true
  volumes:
  - name: foo
    secret:
      secretName: mysecret

10. securityContext.capabilities is only for container, not for pod

11. securityContext.readOnlyRootFilesystem is only for container, not for pod. Here we should use word "Root" and s is small in system.

12. Instead of applying (1) label to node and (2) then use nodeSelector, we can use nodeName in pod spec. 

spec:

  nodeName: cluster1-worker2 # add

13. To run command inside pod and take its output to outside pod. here the final command to be run inside the pod should be at the end. 

k -n team-purple exec gvisor-test > /opt/course/10/gvisor-test-dmesg -- dmesg

14. To run etcdctl

14.1. start with
ETCDCTL_API=3

14.2. Check input parameter of api server at master node
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd

14.3. Now do mapping. parameter value in kube-apiserver.yaml to input argument for etcd
--etcd-cafile  mapped to --cacert
--etcd-certfile mapped to --cert
--etcd-keyfile mapped to --key

14.4. then add below to command
get /registry/"k8s resource type"/"namespace name"/"k8s resource name"

So the complete command will be:

ETCDCTL_API=3 etcdctl --cacert "Path as per --etcd-certfile" --cert "path as per --etcd-certfile" --key "path as per --etcd-keyfile" get /registry/"K8s resource typ"/"name of the namespace"/"name of k8s resource"

There is no "=" for option/argument and value.

For details on Minikube please refer: http://layers7.blogspot.com/2020/06/minikube-etcd.html

15. For any pod, if automountServiceAccountToken is true OR not false OR absent, then we can log in to that pod. Whatever that pod has access, as per its SA, same we can get as follows. 

15.1. Its SA token is located/mounted inside pod
/run/secrets/kubernetes.io/serviceaccount/token
15.2. We can use this token as Bearer HTTP header. 
15.3. We can form URI = https://kubernetes.default/api/v1/namespaces/"name of namespace/"k8s resource type"/"k8s resource name"
Here namespaces is plural.
15.4. we should add -k option to curl command

So complete command will be
curl https://kubernetes.default/api/v1/namespaces/"name of namespace/"k8s resource type"/"k8s resource name" -H "Authorization
: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k

See the difference

etcdctl: /registry/"k8s resource type"/"namespace name"/"k8s resource name"

curl URL: /api/v1/namespaces/"name of namespace/"k8s resource type"/"k8s resource name"

In short: 
etcdctl : first K8s resource then NS
curl URL: first NS then K8s resource. we need additional "namespaces"

16. If secret is mounted as volume or as ENV variable, then also we can access it using exec inside pod. 

17. TLS type secret

kubectl create secret tls my-tls-secret \
  --cert=path/to/cert/file \
  --key=path/to/key/file

* This TLS type secret we can use in ingress resource

  tls:
  - hosts:
      - sslexample.foo.com
    secretName: testsecret-tls

Please note: Here both k8s resources (1) ingress and (2) TLS type secret, should belong to same namespace


18. Few useful podman command. Same as docker command

podman build -t "tag or registryFQDN/user/image:version" .
Do not forget last "dot" It indicates PWD. Dockerfile from PWD
One can also mention other path of directory. not path of Dockerfile

podman push "registryFQDN/user/image:version"

19. This command will tell uid, gid and groups (fsgroup)

19.1 id
19.2 cat /etc/passwd

20. Note : all "resources" are always in plural in all k8s api server audit policy file.  e.g. cronjobs, podss etc.

21. We can specify readOnlyRootFileSystem as true inside container securityContext. Then to allow specific path as writeable, mount it as emptyDir

        volumeMounts:                     # add
        - mountPath: /tmp                 # add
          name: temp-vol                  # add
      volumes:                            # add
      - name: temp-vol                    # add
        emptyDir: {}                      # add

22. To upgrade k8s version
* k get node
It give kubelet version

22.1 k corden master --ignore-daemonsets
Note DaemonSet is plural

22.2 now log in to master

22.2.1 first update kubeadm
apt-get install kubeadm=1.x.y-00
Note: there is no V here

Before installing anything, we shall perform
apt-get update

22.2.2 kubeadm upgrade plan
It will suggest next command
22.2.3 kubeadm upgrade apply v1.x.y
Note: Here V is preesent

Now, optionally one can verify the upgrade is successful or not by running same command again
kubeadm upgrade plan

22.2.4 Now upgrade kubelet version
apt-get install kubelet=1.22.1-00
Note: No V here
22.2.5 Now optionally restart kubelet
systemctl daemon-reload && systemctl restart kubelet
22.2.6 exit from master node

22.3 k uncorden master
22.4 Now log in to worker

Here instead of 
22.2.2 kubeadm upgrade plan
22.2.3 kubeadm upgrade apply v1.x.y

We have to use
22.4.1 kubeadm upgrade node

now run same as 22.2.4 to 22.2.6 and update kubelet

22.5 same as 22.3 now uncordon worker
k uncordon worker


Basically
Master
cordon
Install new kuebadm, kubelet
kubeadm upgrade plan
kubeadm upgrade apply "newVersion"
uncordon

Worker
Same steps, except 2 commands for kubeadm, here only one command
kubeadm upgrade node

23. We should never echo ENV, which is loaded from secret

24. Never put password in plain text in YAML file

25. in DockerFile, if you copy a secret token one command using COPY or ADD. and in second line if you use RUN command and remove using "rm" command, then also it remains in previous layer. Avoid it. 

26. See various command start with 
kubectl config -h

27. To get pod from container ID

27.1 crictl ps --id "container ID"
It will give pod id

27.2 crictl pods --id "pod id"
Note: It is pods , not pod

28. Annotation for apparmor profile.
- for pod it is : metadata.annotations
- for deployment it is: spec.template.metadata.annotations

We can annotate pod using kubectl imperative command. Not possible for deployment 

k annotate pod "pod name" k1=v1 k2=v2 k3=v3

29. In network policy. podSelector applies to target pod and also in rule. namespaceSelector is only for rule. Both selector needs matchLabels. We cannot provide list of pods, by mentioning name of the pods. We can use matchExressions. However matchEpression also works on label k.v pair only. No other attributes like name, image name, container name etc. 

30. Use command c$ to replace from cursor till end of file. VI editor short cut. useful while editing YAML file copied from k8s docs and you wish to change some values. cw is used to change single word. If existing value has - or / then c$ is more useful. 

31. For K8s audit, specify log file path, which already exist. E.g. /var/log/audit.log

32. for k8s audit policy
We need to mention group of resource. Do not include version. To find API group, run the command
k api-resources

33 Specify image

33.1 k run for creating pod

kubectl run nginx --image=nginx -n mynamespace  

33.2 k create to create deployment, job, cronjob

kubectl create deployment nginx --image=nginx 

33.3 k set image, to upgrade. Only here we use container name. "www" in below example

kubectl set image deployment/frontend www=image:v2

34. CIS 

34.1 report's sections

You can get by runnning command

grep "INFO" "report file name"

====================================
1. Control plane

1.1 All config files  /* all file/folder permission and ownership */
1.2 API server
1.3 Controller-Manager
1.4 Scheduler

2. etcd

3. Control plane config

4. Worker node

4.1 worker node config files /* all file/folder permission and ownership */
4.2 kubelet

5. Policies

5.1 RBAC and SA
5.2 PSP
5.3 netpol and CNI
5.4 Secret mgmt
5.5 extensible admission control
5.7 General
====================================

34.2 section wise failure

You can get by runnning command

grep "check FAIL" "report file name"


35. To remove duplicate

cat "file name" | uniq

Note: It is uniq, not unique 

36. All the Kind always start with capital letter. Useful while searching audit log

37. RBAC

37.1 Note:
  • system:serviceaccount: (singular) is the prefix for service account usernames.
  • system:serviceaccounts: (plural) is the prefix for service account groups.
37.2 Grant a role to all service accounts in a namespace

kubectl create rolebinding serviceaccounts-view \
  --clusterrole=view \
  --group=system:serviceaccounts:my-namespace \
  --namespace=my-namespace

37.3 Grant a limited role to all service accounts cluster-wide (discouraged)

kubectl create clusterrolebinding serviceaccounts-view \
  --clusterrole=view \
 --group=system:serviceaccounts

39 Important paths

39.1. SA token inside pod
/var/run/secrets/kubernetes.io/serviceaccount/token

39.2. Kube-api manifest file at master node.
/etc/kubernetes/manifest/kube-apiserver.yaml

39.3. seccomp path at worker | master node
/var/lib/kubelet/seccomp/profiles/name.json
In YAML file of pod/deployment we mention 
localhostProfile: profiles/name.json

39.4 All apparmor profile file (not profile) are located at worker node
/etc/apparmod.d/

39.5 For runtime class configuration 

39.5.1 with containerd
/etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.${HANDLER_NAME}]

39.5.2 with crio
/etc/crio/crio.conf
=============
38. module_request in SELinux

K8s. Flow

Posted by Manish Panchmatia on Friday, December 3, 2021 Labels: , / Comments: (0)


 Ref: https://github.com/cncf/financial-user-group/tree/master/projects/k8s-threat-model

Security Context and PSP

Posted by Manish Panchmatia Labels: , , , / Comments: (0)

Security Context

Only for container

allowPrivilegeEscalation: false . It is for setuid and setgid

allowPrivilegeEscalation:

if (CAP_SYS_ADMIN || Privileged mode) then AllowPrivilegeEscalation = SSeue

=============

securityContext:
      capabilities:
        drop:
          - all
        add: ["MKNOD"]

in PSP we have 

  allowedCapabilities:

  - '*'

  requiredDropCapabilities:

    - ALL

=============

privileged: true avoid it.

=============

procMount: true is for nested container useful for in-cluster build process

=============

readOnlyRootFilesystem: true for immutable container

=============

For container and pod both

container settings will get precedence. 

=============

runAsUser and runAsGroup are runtime configuration. If not defined then UID as per data in image

=============

If runAsNonRoot = True then image should have UID. Same UID should be in host. 

=============

securityContext:

  seLinuxOptions:
    level: "s0:c123,c456"

we can specify level, role, type, user. They are labels for file, process and ports. They are collectively called called "context" in SELinux terms. 

=============

type = Localhost | Unconfined  | RuntimeDefault 

seccompProfile:
      type: Localhost
      localhostProfile: profiles/name.json

The actual path of profile: <kubelet-root-dir>/seccomp/profiles/name.json

where kuelet-root-dir = /var/lib/kubelet . 

It is configured with seccomp-profile-root flag for kubelet. This flag is deprecited since 1.19 . If seccomp-profile-root flag is not defined, the default path will be used, which is <root-dir>/seccomp where <root-dir> is specified by the --root-dir flag.

* type: Unconfined means no seccomp profile is applied

* type: RuntimeDefault means same seccomp profile as container runtime default is applied

* type: Localhost, then only, we need to set localhostProfile

We need to use annotation (optional) 

seccomp.security.alpha.kubernetes.io/pod: localhost/profiles/audit.json

Path for seccomp profiles: https://k8s.io/examples/pods/security/seccomp/profiles/

=============

Only for Pod

fsGroup

the permission bit will be | with rw-rw----

ownership and permission change recursively for all content in mounted volume as per fsGroup

=============

fsGroupChangePolicy = OnRootMismatch | Always

no impact on emptyDir, secret and configMap

OnRootMismatch: It will save time. The permission and ownership only change if root level folder has mismatch with expected fsGroup. 

If DelegateFSGroupToCSIDriver feature gate is enabled then this is done by CSI driver. CSI driver will not respect fsGroupChangePolicy 

=============

supplementalGroups

A list of groups applied to the first process run in each container, in addition to the container's primary GID.

=============

sysctls

====================================================

Here Discretionary Access Control (DAC) is related fields are: runAsUser, runAsGroup, runAsNonRoot, readOnlyRootFilesystem

Here volume related fields are: fsGroup and seLinuxOptions. We set only level at seLinuxOptions and as per level, labels applies to all containers and volumes. 

PodSecurityPolicy

Pod's scrutiny attributes. Defined at cluster level. It controls security sensitive aspects of the pod specification. It define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields. 

It (1) restrict pod creation (2) restrict pod update (3) provide default value

=============

- "privileged" container (Privileged Mode). It is part of PSP. But it control container level "security context" 

=============

- host-level ns (network, PID, IPC) "hostPID", "hostIPC", "hostNetwork". If hostPID allowed then container can escalate privilege using ptrace system call.

============= 

- host ports "hostPorts"

  hostPorts:
  - min: 0
    max: 65535
=============

- different types of volumes. E.g. "allowedFlexVolumes" "volumes"

=============

- host's filesystem E.g. "fsGroup"

fsGroup = MustRunAs | MayRunAs | RunAsAny

We shall specify 1+ range if fsGroup = MustRunAs | MayRunAs. In case of MustRunAs the fsGroup at Pod Security Context is set as min value. in case of MayRunAs, the default value for fsGroup at Pod Security Context, is unset

=============

- RO root filesystem for containers (DAC) "readOnlyRootFilesystem"

=============

- user IDs and group IDs (DAC) "runAsUser" "runAsGroup" "supplementalGroups"

runAsUser = MustRunAs | MustRunAsNonRoot | RunAsAny

runAsGroup = MustRunAs | MayRunAs | RunAsAny

supplementalGroups = MustRunAs | MayRunAs | RunAsAny

=============

- containers' privilege escalation "allowPrivilegeEscalation" "defaultAllowPrivilegeEscalation". Here defaultAllowPrivilegeEscalation, set values for allowPrivilegeEscalation, if not set.

=============

- containers' Linux capabilities (Linux Capabilities): "defaultAddCapabilities", "requiredDropCapabilities", "allowedCapabilities"

=============

- SELinux "seLinux"

RunAsAny means: Apparmor is used instead of SELinux. 

=============

- seccomp and AppArmor profiles : using annotations. 

seccomp.security.alpha.kubernetes.io/allowedProfileNames

apparmor.security.beta.kubernetes.io/defaultProfileName

If this annotation is not specified then default seccomp cannot be changed

=============

- sysctls that a pod can run: "forbiddenSysctls", "allowedUnsafeSysctls"

=============

- a proc mount type to be used. "allowedProcMountTypes" and "DefaultProcMount"

=============
- "AllowedHostPaths" : As name suggest

  allowedHostPaths:
    # This allows "/foo", "/foo/", "/foo/bar" etc., but
    # disallows "/fool", "/etc/foo" etc.
    # "/foo/../" is never valid.
    - pathPrefix: "/foo"
      readOnly: true # only allow read-only mounts

=============

PSP Policy Order

1. non-mutating policy in any order

2. mutating policy in alphabetical order of name

Good Reference: 

A Good article: https://www.linux.com/training-tutorials/overview-linux-kernel-security-features/

Abbreviation

ASLR Address Space Layout Randomization

DAC Discretionary Access Control 

IMA Integrity Measurement Architecture

MAC Mandatory Access Control

PAM Pluggable Authentication Modules

7. Workload Considerations : Falco

Posted by Manish Panchmatia on Thursday, December 2, 2021 Labels: , , , / Comments: (0)

Falco by Sysdigmultiple components (user space program, configuration, driver) working together in order to evaluate system calls against rules, and generate alerts when a rule is broken:

rule has lists. rule can have reference to list. List can be part of macro and other list, in addition to part of rule.

rule has 5 k-v pairs. (1) name, (2) description , (3) condition : Filtering expression for events. (4) output, (5) priority. (emergency, alert, critical, error, warning, notice, informational, debug) 

rule has 4 optional K-v pairs.(1) enabled. default is true (2) tags (filesystem, software_mgmt, process, database, host, shell, container, cis, users, network) . -T option to disable rules with given tag. -t option to enable. (3) warn_evttypes default is true. (4) skip-if-unknown-filter default is false. 5th one added (5) exceptions : a set of conditions that cause the rule to not generate an alert. 

- Falco comes with many rules in /etc/falco/falco_rules.yaml file. They can be overwritten by /etc/falco/falco_rules.local.yaml file. E.g. to disable rule : We can add rule with same name and "append: true" + "enabled: false" 

- evt.dir = < indicates end of system call and evt.dir = > indicates beginning of system call. dir = direction

- We have K8s related context: k8s.[pod | rc | svc | rs | deployment].[name | id \ label | labels] + many fields from K8s audit logs.

with macro part of rule can be re-used. There are many default macros.  



Falco runs with K8s-audit on. So we need to specify audit policy file at API server argument --audit-policy-file

We can configure webhook in API server with this arguement

--audit-webhook-config-file=/etc/kubernetes/audit-webhook-kubeconfig

This YAML file shall define Config kind. 

We can see Falco output with journalctl command.

Reference :

https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml

https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/

7. Workload Considerations : Tracee

Posted by Manish Panchmatia on Tuesday, November 30, 2021 Labels: , , , / Comments: (0)

 Tracee (uses eBPF) :monitors system call and kernel events. 

- It captures :  (1) precise time stamp, (2) uts_name, (3) UID, (4) Command COMM (5) PID, (6) TID/host (7) return code, RET (8) event, and (9) arguments.

- At least 3 volume locations needed. (1) /lib/modules , (2) /usr/src , (3) /tmp/tracee Tracee provides in-depth tracing of container or pod. 


Tracee has multiple options. Important ones are 

list: list of system calls and other events. 

trace: events. specific pid, uid, uts, mntns, pidns, command (comm), system call etc. We can use comparison operator to filer. 

Examples:

  --trace pid=new                                              | only trace events from new processes

  --trace pid=510,1709                                         | only trace events from pid 510 or pid 1709

  --trace p=510 --trace p=1709                                 | only trace events from pid 510 or pid 1709 (same as above)

  --trace container=new                                        | only trace events from newly created containers

  --trace container                                            | only trace events from containers

  --trace c                                                    | only trace events from containers (same as above)

  --trace '!container'                                         | only trace events from the host

  --trace uid=0                                                | only trace events from uid 0

  --trace mntns=4026531840                                     | only trace events from mntns id 4026531840

  --trace pidns!=4026531836                                    | only trace events from pidns id not equal to 4026531840

  --trace 'uid>0'                                              | only trace events from uids greater than 0

  --trace 'pid>0' --trace 'pid<1000'                           | only trace events from pids between 0 and 1000

  --trace 'u>0' --trace u!=1000                                | only trace events from uids greater than 0 but not 1000

  --trace event=execve,open                                    | only trace execve and open events

  --trace set=fs                                               | trace all file-system related events

  --trace s=fs --trace e!=open,openat                          | trace all file-system related events, but not open(at)

  --trace uts!=ab356bc4dd554                                   | don't trace events from uts name ab356bc4dd554

  --trace comm=ls                                              | only trace events from ls command

  --trace close.fd=5                                           | only trace 'close' events that have 'fd' equals 5

  --trace openat.pathname=/tmp*                                | only trace 'openat' events that have 'pathname' prefixed by "/tmp"

  --trace openat.pathname!=/tmp/1,/bin/ls                      | don't trace 'openat' events that have 'pathname' equals /tmp/1 or /bin/ls

  --trace comm=bash --trace follow                             | trace all events that originated from bash or from one of the processes spawned by bash

  --trace container=new  | all the events from container created after issuing this command

capture: suspicious artifacts. One can specify (1) files written at specific path (2) file executed from specific path (3) W and X access to specific memory region. 

Examples:
  --capture exec                                           | capture executed files into the default output directory
  --capture all --capture dir:/my/dir --capture clear-dir  | delete /my/dir/out and then capture all supported artifacts into it
  --capture write=/usr/bin/* --capture write=/etc/*        | capture files that were written into anywhere under /usr/bin/ or /etc/

output: format, op file path, include: (1) exec env (2) stack trace or not?

Examples:
  --output json --output option:eot                        | output as json and add an EOT event
  --output gotemplate=/path/to/my.tmpl                     | output as the provided go template
  --output out-file:/my/out err-file:/my/err               | output to /my/out and errors to /my/err

5. Securing Kube-APIServer: RBAC

Posted by Manish Panchmatia on Sunday, November 28, 2021 Labels: , , , / Comments: (0)

 We can use

 kubectl auth reconcile -f  "filename.yaml"

to create missing objects and ns. It does not create sa

We can also run with 

 kubectl auth reconcile -f  "filename.yaml" --dry-run=client

--remove-extra-permissions will remove extra permission in role

--remove-extra-subjects will remove extra subjects in binding

The kubectl auth reconcile command will ignore any resources that are not Role, RoleBinding, ClusterRole, and ClusterRoleBinding objects, so you can safely run reconcile on the full set of manifests. Next we can run kubectl apply command. 

With kubectl apply command for rolebinding, we cannot update roleRef. it is immutable. However with this command kubectl auth reconcile, we can do it. 

All the above points are applicable to ClusterRole and ClusterRoleBinding also. 

Reference: https://www.mankier.com/1/kubectl-auth-reconcile

====================================

Regardless of namespace, by default, SA with name "default" is added to pod, in all namespace. 

====================================

In rolebinding if kind = User then only name is sufficinet. 

subjects:
- kind: User
  name: dan
If kind = ServiceAccount then we need to specify name and namespace

subjects:
- kind: ServiceAccount
  name: simple-sa
  namespace: prod-b

6. Networking : Network Policy

Posted by Manish Panchmatia on Thursday, November 25, 2021 Labels: , , , / Comments: (0)

- We cannot use namespaceSelector, for target pod. The namespaceSelector is for (1) to and (2) from

- if we do not mention about podSelector at all, then it means none of the pod. 

- if we mention empty list , then also it means none of the pod. ingress: []

==================================

- For (1) to and (2) from, if you omit specifying a namespaceSelector it does not select any namespaces, which means it will allow traffic only from the namespace the NetworkPolicy is deployed to.

To allow all traffic from current namespace

ingress:

- from:

  - podSelector: {}

==================================

- if we mention 

ingress: {} 

OR

ingress:

- {}

then it means network all pods from all namespace + outside K8s cluster

- if we mention

  ingress:

  - from:

    - namespaceSelector: {}

Then it means, all pods from all namespace. outside cluster is excluded. 

==================================

- All policies are add / union. So there is no chance of conflict. Whitelist can be keep growing. Traffic is allowed, if we have at least one rule, that allow the traffic. 

By default, if no policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace

- Network Policy is connection level filter. It does not apply to packets

- Network Policy does not terminate established connection. 

- cluster level network policy is not part of core API. It is implemented by Calico 

==================================

Best practices

1. First block all ingress/egress in a namespace

2. start whitelisting for each app

3. While applying egress rule, we have to allow DNS, as it is needed in most cases, to resolve service FQDN

==================================

- If no policyTypes are specified on a NetworkPolicy then by default Ingress will always be set 

- policyTypes= Egress will be set if the NetworkPolicy has any egress rules.

==================================

This is OR condition

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
  ingress:

  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          KEY: VALUE
    - podSelector:
        matchLabels:
          KEY: VALUE

Here : any pod whose namespace has label key=value OR any pod with namespace of Networkpolicy  (default) who has label key=value OR pod has specific IP addresss

==================================

This is AND condition

  ingress:

  - from:
    - namespaceSelector:
        matchLabels:
          user: alice
      podSelector:
        matchLabels:
          role: client

Here : any pod whose namespace has label user=alice AND any pod who has label role=client 

If podSelector:{} then namespaceSelector can be AND or OR, does not matter. 

==================================

This is also AND condition

  ingress:
  - from:
...........
    ports:
    - protocol: TCP
      port: 6379

We have to use containerPort only. 

We can have multiple rules by multiple "-from" and/or multiple "-to"

==================================

To allow all traffic from all namespace

(1) 

ingress:

- from:

  - podSelector: {}

    namespaceSelector: {}    

(2) 

ingress:

- from:

  - namespaceSelector: {}    

==================================

Port is always destination port, for both ingress and egress. 

==================================

We can block egress traffic go outside cluster, by (1) specifying allow to all namespace

egress:

- to:

  - namespaceSelector: {}

(2) empty list

egress: []

==================================

First let's isolate Ingress and Egress both traffic to target pod as per podSelector. These pods belongs to same namespace, as the NetworkPolicy belong to. Here all pods with label role=db in default namespace are isolated. 

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: test-network-policy

  namespace: default

spec:

  podSelector:

    matchLabels:

      role: db

  policyTypes:

  - Ingress

  - Egress

Reference:

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://github.com/ahmetb/kubernetes-network-policy-recipes

https://www.youtube.com/watch?v=3gGpMmYeEO8

8. Issue Detection

Posted by Manish Panchmatia on Wednesday, November 24, 2021 Labels: , , , / Comments: (0)

Cyber Kill Chain

  • Reconnaissance 
  • Weaponization: Client application data file: PDF, DOC
  • Delivery: E-mail attachment, wesbite, USB removable media
  • Exploitation: 
  • Installation: 
  • Command and Control 
  • Actions on Objectives
HIDS
An agent or corn job
- scan anomalies on local node
- check system resources against database of attributes (MD5 sum, time-stamps, permissions etc.) for each resource. 

HIDS Tools

1. AIDE is shipped with enterprise Linux. It is highly configurable HIDS
2. Tripwire It is similar to AIDE. Extra features: (1) commercial management console (2) real-time auditing agent
3. OSSEC open source host-based intrusion detection system. It performs (1) log analysis (2) file integrity check (3) policy monitoring (4) root-kit detection (5) real time alerting (6) active response

Important files. So many files, list can be obtained by command
sudo ls -R /var/ossec

Main config file is: /var/ossec/etc/ossec.conf
Rule files: /var/ossec/rules
The active response to issues are in script files /var/ossec/active-response/bin
CIS benchmarks for different OS: /var/ossec/etc/shared
all logs file by ossec : /var/ossec/logs

NIDS
Tools, collect traffic from networking devices. Then analyze the traffic for attack signature and other anomalies 

NIDS Tools

1. SNORT: CISCO maintains it. CISCO add new rules and share with subscriber. After 30 days these new rules are available to community. 

2. Suricata: (1) real time IDS (2) IPS (3) NSM (4) offline pcap processing. Lua-script support for complex threat detection. 

Important files
(1) /etc/suricata/suricata.yaml If we edit this file then run command
sudo suricata-update
then new rules will be added to
(2) /var/lib/suricata/rules/classification.config and
(3) /var/lib/suricata/rules/suricata.rules
Next see /va/log/suricata folder
(4) suricata.log
(5) stats.log
(6) fast.log
(7) eve.json we can use | jq 'select{}'
(8) (9) /etc/suricata/enable.conf and disable.conf to enable/disable rules. then run sudo suricata-update


ML Based Tools Vendors

1. NeuVector
2. StackRox
3. Threat Stack
4. Trend Micro

Acronyms

AIDE: Advanced Intrusion Detection Environment

C2: Command and Control

COOP: COntinuity of OPeration

CVEs: Common Vulnerabilities and Exposures

DR: Disaster Recovery

HIDS: Host Intrusion Detection System

IDS: Intrusion Detection System

IPS: Inline Intrusion Prevention System

LM-CIRT: Lockheed Martin Computer Incident Response Team

NIDS: Network Intrusion Detection System

NSM: Network Security Monitoring 

NVD: National Vulnerability Database

PIDS: Physical Intrusion Detection System

US-CERT: United States Computer Emergency Readiness Team

Website

https://seclists.org/

https://cve.mitre.org/cve/