Run shell untrusted

​

Event Information

​

Meaning

• The “Run shell untrusted” event in a Kubernetes cluster indicates that a shell command was executed within a container running in the cluster, and it was flagged as untrusted.
• This event typically occurs when a user or process attempts to run a shell command that is not allowed or violates the security policies defined for the cluster.
• It is important to investigate this event further to determine the source of the command and assess whether it poses a security risk or violates any compliance standards.

To investigate further, you can:

• Use the kubectl get pods command to identify the pod in which the event occurred.
• Use the kubectl logs <pod-name> command to view the logs of the container and look for any suspicious or unauthorized shell commands.
• Review the security policies and access controls in place to ensure that only trusted and authorized commands are allowed to be executed within the cluster.

​

Remediation

1. Update Security Policies:

   • Use Security Context Constraints (SCC) or Pod Security Policies (PSP) Alternatives.

   • Since PodSecurityPolicy is deprecated, consider using alternative solutions like Kubernetes PodSecurityAdmission or OPA/Gatekeeper to enforce security policies.

   • Kubernetes PodSecurityAdmission (PSA) provides a built-in way to enforce security policies. Here’s an example of how to enforce security controls using PSA:

   apiVersion: policy/v1
   kind: PodSecurityPolicy
   metadata:
     name: restricted
   spec:
     privileged: false
     allowPrivilegeEscalation: false
     allowedCapabilities: []
     volumes:
       - 'emptyDir'
       - 'configMap'
       - 'projected'
       - 'secret'
     hostNetwork: false
     hostIPC: false
     hostPID: false
     runAsUser:
       rule: 'MustRunAsNonRoot'
     seLinux:
       rule: 'Must'
     supplementalGroups:
       rule: 'MustNot'
     fsGroup:
       rule: 'MustNot'
     readOnlyRootFilesystem: true
   

   • Implement OPA/Gatekeeper Policies Open Policy Agent (OPA) and Gatekeeper can be used to enforce custom policies. For example, you can create a policy that restricts the execution of untrusted shell commands:

   apiVersion: constraints.gatekeeper.sh/v1beta1
   kind: K8sSecurityContextConstraints
   metadata:
     name: restrict-shell-commands
   spec:
     enforcementAction: deny
     match:
       kinds:
         - apiGroups: [""]
           kinds: [Pod]
     parameters:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
         capabilities:
           drop:
             - ALL
   

2. Update Deployment or Pod Specifications:

   • Ensure that new pods adhere to the updated security policies by modifying their configurations:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: your-deployment
    spec:
      template:
        spec:
          securityContext:
            runAsNonRoot: true
            readOnlyRootFilesystem: true
          containers:
          - name: your-container
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                  - ALL
   

3. Apply the updated security policies and configurations to your cluster:

     kubectl apply -f <policy-file.yaml>
     kubectl apply -f <deployment-file.yaml>

Note: Make sure to test all changes in a staging environment before applying them to production to avoid any unintended disruptions.