Challenge, Easy,  on  Kubernetes

Secure a Deployment with Security Context and Capabilities

Scenario

The security team has identified that the joker-deployment in namespace joker needs hardening. The deployment is currently running with default security settings, which pose potential security risks.

The manifest file for the existing Deployment can be found at /home/laborant/joker-deployment.yaml.

Task

Modify the existing Deployment named joker-deployment running in namespace joker so that its containers:

  1. Run with user ID 3000
  2. Privilege escalation is forbidden
  3. Add the following Linux capabilities:
    • NET_BIND_SERVICE
    • NET_RAW
    • NET_ADMIN
  4. Check the logs of the deployment to verify it shows user ID 3000.

Modify the YAML file at /home/laborant/joker-deployment.yaml and apply the changes.

Hint
  • All security settings must be configured at the container level under spec.template.spec.containers[0].securityContext
  • Use runAsUser to set the user ID
  • Use allowPrivilegeEscalation to control privilege escalation
  • Use capabilities.add to add Linux capabilities as a list
  • After editing the YAML file, apply it with kubectl apply -f
  • Check Kubernetes documentation for securityContext examples if needed

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge secure-a-deployment-with-security-context-and-capabilities-8b398024

This will create a local copy of the challenge content in a directory named secure-a-deployment-with-security-context-and-capabilities-8b398024. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge secure-a-deployment-with-security-context-and-capabilities-8b398024

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge