k8s PodSecurityPolicy. Drop all capabilities except one

1/14/2019

I want to build a pod security policy where I drop all the capabilities and then enable only CHOWN.

The problem is that it seems that "requiredDropCapabilities: ALL" is the main rule and if I configure it to ALL then I can not add individual capabilities with AllowedCapabilities or DefaultAddCapabilities.

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

RequiredDropCapabilities - The capabilities which must be dropped from containers. These capabilities are removed from the default set, and must not be added. Capabilities listed in RequiredDropCapabilities must not be included in AllowedCapabilities or DefaultAddCapabilities

How could I deny all capabilities except one?

--EDIT

This is my example:

PodSecurityPolicy:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: a-pot-root
spec:
  allowPrivilegeEscalation: false
  forbiddenSysctls:
  - '*'
  allowedCapabilities:
  - CHOWN
  requiredDropCapabilities:
  - ALL
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim

Then inside the container there is no CHOWN capability:

root@hellonode-6d654c57b8-b8hz8:/app# capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=1(daemon)

Thx.

-- Jxadro
kubernetes

1 Answer

2/17/2019

What I did is comment the "- ALL", add all the "capability options" that are allowed by default as documented here, and comment the capabilities I didn't require.

Caveat: I thought I would need only CHOWN, but ended needing some more.

  requiredDropCapabilities:
    # - ALL               # Drop all the usual capabilities
    - SETPCAP               # Modify process capabilities.
    - MKNOD               # Create special files using mknod(2).
    - AUDIT_WRITE           # Write records to kernel auditing log.
    # - CHOWN               # Make arbitrary changes to file UIDs and GIDs (see chown(2)).
    - NET_RAW               # Use RAW and PACKET sockets.
    # - DAC_OVERRIDE        # Bypass file read, write, and execute permission checks.
    # - FOWNER            # Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
    - FSETID                # Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
    - KILL                # Bypass permission checks for sending signals.
    # - SETGID            # Make arbitrary manipulations of process GIDs and supplementary GID list.
    # - SETUID            # Make arbitrary manipulations of process UIDs.
    - NET_BIND_SERVICE    # Bind a socket to internet domain privileged ports (port numbers less than 1024).
    - SYS_CHROOT            # Use chroot(2), change root directory.
    - SETFCAP               # Set file capabilities

Hope it helps. I was looking for answers but found first your question :)

-- Sergio Oliver
Source: StackOverflow