Using Smack to secure Kubernetes containers and nodes — a proof of concept



Needs analysis

What is Smack?

Smack basics

Activating Smack on the system

# cat /proc/config.gz | gunzip | grep -i smack

# cat /sys/kernel/security/lsm

# cat /etc/default/grub | grep lsm=
GRUB_CMDLINE_LINUX_DEFAULT=”quiet udev.log_priority=3 lsm=lockdown,yama,smack”

# cat /etc/fstab | grep smack
smackfs /sys/fs/smackfs smackfs defaults 0 0

# smackctl status
SmackFS is mounted to /sys/fs/smackfs/

# chsmack /path/to/folder/*
/path/to/folder/test.txt access=”_”

# chsmack -a {access-label} -e {execute-label} -m {mmap-label} /path/to/folder/test.txt

# chsmack -A -E -M /path/to/folder/test.txt


secret_exec secret_file rwa

# smackctl apply

secret_exec _ rwaxtl

# smackctl apply

Securing containers

# cat /etc/smack/accesses.d/host
host _ rwxatl
_ host rwxatl
host container rwxatl

# cat /etc/smack/accesses.d/containers
container _ rwxatl
_ container rwxatl

How do Kubernetes containers work?

Incorporating Smack into containerd

# chsmack -a container0123456789deadbeef -e container0123456789deadbeef -r /path/to/extracted/container/files

The proof of concept

$ kubectl exec -ti hello — /bin/sh
/ # id
uid=0(root) gid=0(root) groups=1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

/ # ls /host
ls: /host/etc: Permission denied
bin lost+found run
boot mnt sbin
desktopfs-pkgs.txt opt srv
dev path sys
home proc tmp
lib root usr
lib64 rootfs-pkgs.txt var

/ # cat /host/etc/shadow
cat: can’t open ‘/host/etc/shadow’: Permission denied

/ #

# find / -type f -exec chsmack -a host {} +

# find / -type d -exec chsmack -a host -t {} +

Final thoughts

Follow-up blog post



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store