Event Information

Meaning

  • This event indicates a potential security issue where an attacker may exploit environment variables to escalate their privileges within the Kubernetes cluster.
  • It is crucial to investigate the source of the environment variables and ensure that sensitive information or privileged access is not being misused.
  • To further investigate, you can list all pods in the cluster to identify the pod associated with the event using the following command: kubectl get pods.

Remediation

  • Create a Kubernetes Pod Security Policy to restrict the usage of environment variables in Pods:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restrict-env-vars
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - '*'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: false
  defaultAllowPrivilegeEscalation: false
  allowedHostPaths:
    - pathPrefix: "/etc"
      readOnly: false
  allowedFlexVolumes: []
  allowedUnsafeSysctls: []
  forbiddenSysctls:
    - '*'
  allowedProcMountTypes:
    - "Default"
  runAsGroup:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  allowedCapabilities: []
  allowedProcMountTypes:
    - "Default"
  allowedUnsafeSysctls: []
  forbiddenSysctls:
    - "*"
  • Update the Pod definition to adhere to the Pod Security Policy created:
apiVersion: v1
kind: Pod
metadata:
  name: restricted-pod
spec:
  securityContext:
    seLinuxOptions:
      level: "s0:c123,c456"
  containers:
  - name: container
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        drop:
          - ALL
    env:
      - name: ALLOWED_ENV_VAR
        value: "allowed"
  restartPolicy: Never
  • Apply the Pod Security Policy and update the Pod:
kubectl apply -f pod-security-policy.yaml
kubectl apply -f restricted-pod.yaml