Sunday, June 26, 2022

[How To] Prevent Container with Privileged Mode to Run on Kubernetes Cluster

My Kubernetes exploration brought me to the topic of privileged pods. Privileged pod, or container running in privileged mode is a configuration option of K8s deployment which can be useful, but can also be dangerous. 

This is an excerpt of deployment specification where privileged mode defined.

kind: Deployment
...
spec:
  template:
    spec:
      containers:
      - name: ...
        image: nginx:1.14.2
        securityContext:
          privileged: true

Found this article:

https://www.cncf.io/blog/2020/10/16/hack-my-mis-configured-kubernetes-privileged-pods/

which explains about what's the true intent of running privileged pod and the security risk it caused, including how to exploit privileged pod to do malicious intent.

Now the question is, how can we prevent container with privileged mode to run on our Kubernetes cluster?

Sunday, June 5, 2022

[lunar.lab] Cannot Resolve ".local" Domain from TKGm Workload Cluster

Problem Statement

  • Kubernetes Pod Status ImagePullBackOff 
  • Describe pod show error message:

dial tcp: lookup harbor-01a.corp.local: Temporary failure in name resolution

  • Container image pulled from local container registry with ".local" domain suffix

Thursday, June 2, 2022

[lunar.lab] Allow TKGm Workload Cluster to Pull Image from Harbor Configured with Self-signed Certificate

Disclaimer

  • This method is kind of a hack and hence ** Unsupported **.
  • I do this only within my lab or PoC with controlled environment.

Problem Statement

TKGm Workload Cluster do not allow pulling image from Container Registry configured with Self-signed Certificate.

Doing such thing will throw error message as follows:

x509: certificate signed by unknown authority