How to disable exec shell (shell/bash prompt) so no user can get into the running container as root user?
You should use RBAC Authorization.
Create a role without granting access to "pod/exec" sub-resource. i.e.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]Thus, all users/service accounts binded to this role, won't be able to get into the pods within specific namespace.
If you are running weave scope in your production environment, you may need to restrict 2 major things:
1. K8s worker node shell access and Pods shell access
For disabling the controls, weave scope provides out of the box solution, probe "--probe.no-controls=true" you need to pass as an startup argument to your weave-scope-agent.
Final file will look like this:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: weave-scope-agent
labels:
name: weave-scope-agent
app: weave-scope
weave-cloud-component: scope
weave-scope-component: agent
namespace: weave
spec:
minReadySeconds: 5
selector:
matchLabels:
app: weave-scope
template:
metadata:
labels:
name: weave-scope-agent
app: weave-scope
weave-cloud-component: scope
weave-scope-component: agent
spec:
containers:
- name: scope-agent
args:
- '--probe.no-controls=true'
- '--weave=false'
- '--mode=probe'
- '--probe-only'
- '--probe.kubernetes.role=host'
- '--probe.docker.bridge=docker0'
- '--probe.docker=true'
- 'weave-scope-app.weave.svc.cluster.local.:80'
image: weaveworks/scope:1.11.2
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 100Mi
securityContext:
privileged: true
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
- name: scope-plugins
mountPath: /var/run/scope/plugins
- name: sys-kernel-debug
mountPath: /sys/kernel/debug
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
operator: Exists
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
- name: scope-plugins
hostPath:
path: /var/run/scope/plugins
- name: sys-kernel-debug
hostPath:
path: /sys/kernel/debug
updateStrategy:
rollingUpdate:
maxUnavailable: 1Kindly note I am using --weave=false flag because I am not using weave as CNI in my K8s cluster, if you are using weave CNI do not pass this flag other wise unexpected behaviour may observe.
2. Pods delete access
For disabling weave users to delete pod you need to play with some RBAC rules. Allow pod and pod/logs in the RBAC and disable delete verb. Doing this, user will be able to see the pods and pod logs but they will be able to delete pod.
Final RBAC file will look like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
name: weave-scope
name: weave-scope
namespace: weave
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- replicationcontrollers
- services
- nodes
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
#- apiGroups:
# - ""
# resources:
# - pods
# verbs:
# - delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- deployments/scale
verbs:
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- watch
- apiGroups:
- extensions
resourceNames:
- weave-scope
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- volumesnapshot.external-storage.k8s.io
resources:
- volumesnapshots
- volumesnapshotdatas
verbs:
- list
- watch