PrivilegedContainer 의 사용환경에 대한 탐지

apiVersion: v1
kind: Pod
metadata:
  name: privileged-container
  labels:
    role: privileged-container
  namespace: default
spec:
  containers:
    - image: busybox
      command:
        - sleep
        - "3600"
      imagePullPolicy: IfNotPresent
      name: privileged-container
      securityContext:
        privileged: true
  restartPolicy: Always

kubectl apply -f privileged-container.yaml

민감정보가 있는 볼륨을 마운트했을 때 위협으로 감지

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sensitive-mount-container
spec:
  selector:
    matchLabels:
      app: sensitive-mount-container
  replicas: 1
  template:
    metadata:
      labels:
        app: sensitive-mount-container
    spec:
      containers:
        - name: sensitive-mount-container
          image: nginx
          securityContext:
            privileged: true
          volumeMounts:
            - mountPath: /test-pd
              name: test-volume
      volumes:
        - name: test-volume
          hostPath:
            path: /etc
            type: Directory

kubectl apply -f sensitive-mount-container.yaml

익명접근을 허용하는 위협을 탐지

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: anonymous-admin
subjects:
  - kind: User
    name: system:anonymous
    namespace: default
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io