Lab 6.6 security-review1.yaml intended solution

Here's what I'm trying:

• set spec.containers[0].securityContext.runAsUser to be 101, the same as the nginx user in the container image (although I don't like this solution, I'd prefer a solution where root in the container maps to a unique UID on the host)
• using an emptyDir volume for /var/lib/nginx (it wants to create proxy_temp, client_temp, and more)
• set spec.containers[0].securityContext.capabilities.add[0]."NET_BIND_SERVICE"... but that doesn't appear to be effective as the container still gets a permission denied when binding to 0.0.0.0:80

So I went to diagnose what was happening. A altered my Deployment to create the pod with command as ["/usr/bin/sleep", "inf"]... this means it won't start nginx but will just cause the a container to start, which I can then exec into to inspect the environment:

nginx@securityreview:/$ grep ^Cap /proc/1/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

Well that's kinda interesting, because the CapPrm ('Permitted', or maximum) capabilities is empty, so something must be removing capabilities.

Compare this with another what we did earlier:

cameron_kerr_nz@a-cp:~/review6$ k exec secondapp -c busy -- grep ^Cap /proc/1/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000aa0435fb
CapAmb: 0000000000000000

cameron_kerr_nz@a-cp:~/review6$ k exec secondapp -c webserver -- grep ^Cap /proc/1/status
CapInh: 0000000000000000
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

And here's the configuration from that:

  containers:
  - name: webserver
    image: nginx
  - name: busy
    image: busybox
    command:
    - sleep
    - "3600"
    securityContext:
      runAsUser: 2000
      allowPrivilegeEscalation: false
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]

Comparing with the review exercise, it would appear that when securityContext.capabilities.add has been set, we're seeing that CapEff (the 'Effective' set) is not as expected.

It is very useful to realise that this is because of the behaviour of Linux Capabilities when transitioning from UID 0 to UID !0. There's a long-standing bug about this:

• https://github.com/kubernetes/kubernetes/issues/56374
• workaround using sysctls instead to set the range of priviledged ports: https://github.com/kubernetes/kubernetes/issues/56374#issuecomment-928917495
• the other fix for this (lacking ambient capabilities) is to set NET_BIND_SERVICE capability on the executable instead (ie. on nginx). --- I tried this, it wasn't enough
• https://github.com/kubernetes/enhancements/issues/2763 <-- the enhancement that made it as an Alpha in 1.24 (but ended up being a CVE?).

I would say that it should be required to read about this issue, because you're very likely to bump into it; and your experience is likely to be quite unpleasant.

What I ended up doing that did work:

• Use runAsUser: 101 in the container securityContext
• Don't use any capabilities
• Instead, use the sysctls in the Pod's securityContext (not the container's, but the pod's)
• Provide a custom nginx.conf that doesn't specify user and sets the various paths (as per the documentation in the section 'Running Nginx as a non-root user' at https://hub.docker.com/_/nginx)

While you're reading about these issues, I found it useful to compare with what OpenShift does; all pods will run as a non-privileged dynamic UID, but with GID 0. So anything that should be writable by the container should have group-write permission. An interesting way of doing it, although one that many container images aren't written to expect. I suspect there will be container runtimes that can use 'rootless' containers, where the UID running 'within' the container may be 0; but that is mapped to a non-root UID outside of the container. (podman does this already; presumably CRI-O could as well; I haven't looked).