kubernetes-security – Tarik Billa

kubernetes PodSecurityPolicy set to runAsNonRoot, container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root

November 27, 2023 by Tarik

Here is the implementation of the verification: case uid == nil && len(username) > 0: return fmt.Errorf(“container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root”, username) And here is the validation call with the comment: // Verify RunAsNonRoot. Non-root verification only supports numeric user. if err := verifyRunAsNonRoot(pod, container, uid, … Read more

Where can I get a list of Kubernetes API resources and subresources?

April 22, 2023 by Tarik

Using kubectl api-resources -o wide shows all the ressources, verbs and associated API-group. $ kubectl api-resources -o wide NAME SHORTNAMES APIGROUP NAMESPACED KIND VERBS bindings true Binding [create] componentstatuses cs false ComponentStatus [get list] configmaps cm true ConfigMap [create delete deletecollection get list patch update watch] endpoints ep true Endpoints [create delete deletecollection get list … Read more

Kubernetes Secrets – What is the purpose of type “Opaque” in secret definitions

March 29, 2023 by Tarik

type: Opaque means that from kubernetes’s point of view the contents of this Secret is unstructured, it can contain arbitrary key-value pairs. In contrast, there is the Secret storing ServiceAccount credentials, or the ones used as ImagePullSecret. These have a constrained contents.