1. Auditing Kubernetes Cluster for Privileged Container Usage

    TypeScript

    Auditing a Kubernetes cluster for privileged container usage involves inspecting the configurations of pod specifications to check for containers that are set to run with elevated privileges. This typically means checking for containers that have privileged: true in their security context settings.

    Using Pulumi to perform this audit would involve defining a query that inspects resources in a Kubernetes cluster. Unfortunately, Pulumi's core functionality is centered around provisioning and managing infrastructure rather than querying the existing state in detail. To perform the audit, you would use Kubernetes native commands like kubectl or tools specifically designed for cluster inspection and auditing, such as Kubernetes auditing logs or policy enforcement tools like OPA/Gatekeeper.

    However, I can show you how to set up Pulumi to manage a Kubernetes resource, such as a Pod, while explicitly avoiding the creation of any privileged containers by setting securityContext.privileged to false. This doesn't perform an audit but ensures that any Kubernetes resources defined using this Pulumi program will not run privileged containers.

    import * as kubernetes from "@pulumi/kubernetes"; // Create a Kubernetes pod with a single non-privileged container. const pod = new kubernetes.core.v1.Pod("demo-pod", { metadata: { labels: { app: "demo", }, }, spec: { containers: [{ name: "non-privileged-container", image: "nginx", // Using nginx as an example image. securityContext: { // Ensure that the container is not running in privileged mode. privileged: false, }, }], }, }); // Export the name of the pod export const podName = pod.metadata.name;

    In the above TypeScript program, I've used the Pulumi Kubernetes library to define a Pod named demo-pod. The pod contains a single container based on the nginx image.

    The critical part of this Pod definition in terms of security is the securityContext.privileged: false line, which explicitly states that the container should not be run with privileged access to the host machine. This is a preventative measure rather than an audit.

    The program concludes by exporting the pod name, which allows you to easily reference the pod in future Pulumi operations or in additional code that would perform auditing actions outside Pulumi's scope.

    For actual auditing purposes, as mentioned before, you would typically use kubectl commands like the following to list pods that have privileged containers:

    kubectl get pods -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged == true)'

    This command uses kubectl to fetch all pods in the JSON output format, and then pipes the JSON data into jq, which is a command-line JSON processor. jq filters the output to only show details of containers that have the securityContext.privileged field set to true. This is just an example command, and the actual implementation may vary based on your specific needs and cluster setup.