Pod Security¶

Keisson uses numerous overlapping systems to ensure your workloads run in a safe and efficient way.

Pod Security Standards¶

Pod Security Standards are a Kubernetes-native policy used to enforce sensible and commonly defined security standards for your workloads.

Baseline (Default)¶

Keisson enforces baseline Pod Security Standards by default.

Baseline standards ensure it is not possible to run workloads that can artificially gain more privileges than intended, or which could break out of their container or otherwise interfere with other workloads.

Restricted¶

While baseline is the best trade-off between security and compatibility, it is possible to enforce even stricter security standards, to help prevent privilege escalations within your containers.

The restricted level requires containers:

To run as a non root user
To disable privilege escalation via the setuid bit on executables
Without any advanced capabilities not normally required by applications

To enforce restricted pod security standards for all pods in a namespace, add the pod-security.kubernetes.io/enforce label set to restricted.

Note

In a vanilla Kubernetes cluster, it would be possible to disable Pod Security Standards enforcement by setting the pod-security.kubernetes.io/enforce label to privileged. To protect your workload’s security, Keisson will not allow this.

Seccomp (BPF)¶

Seccomp (Secure Computing) is a Linux Kernel feature that allows a system to limit the system calls available to applications.

Keisson enforces a reasonable Seccomp profile onto all containers, which allows for all modern and expected functionality, while blocking some legacy Linux system calls, or system calls that are known to have had multiple security issues.

This massively helps reduce any potential attack surface via the Kernel for any of your workloads.

Error

By blocking legacy Linux syscalls, this may cause compatibility issues with very old software. Such software is very unusual, especially in modern containerised environments, so this is highly unlikely to occur.

YAMA (ptrace hardening)¶

ptrace is a linux feature which allows one process to attach to another, taking partial control over it and gaining access to its internal memory. This feature is normally used by debugging, code coverage or benchmarking tools.

In vanilla Linux, the only condition to one process calling ptrace on another is that it can see it and send signals to it. Two processes run by the same user within a container fulfil that criteria. This creates a container-scoped security exposure, whereby one compromised process within a container can gain undue control over another within that same container.

Keisson addresses this by using the YAMA Linux Security Module, which hardens the rules over when processes can ptrace another. Keisson runs YAMA in restricted ptrace (1) mode, which only allows processes to trace processes which have specifically requested / allowed tracing.