https://drive.google.com/file/d/15JhuuRPCbnmudauXmZQHLxtUBCE5RE2w/view?usp=sharing
# 1. Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: unsecure
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: lovelearnlinux/unsecureapache:v1 # β Custom Apache image
ports:
- containerPort: 8080 # β App listens on 8080
---
# 2. ClusterIP Service
apiVersion: v1
kind: Service
metadata:
name: unsecure-svc
spec:
selector:
app: nginx
ports:
- port: 80 # β Service port
targetPort: 8080 # β Pod port
---
# 3. NodePort Service
apiVersion: v1
kind: Service
metadata:
name: unsecure-svc-np
spec:
type: NodePort
selector:
app: nginx
ports:
- port: 8080
targetPort: 8080
nodePort: 30007 # β Fixed NodePort (optional)
π Key Observations:
- Two Services:
secure-svcβ internal (ClusterIP)secure-svc-npβ external (NodePort: 30007)- Port mapping: App runs on
8080β exposed as80internally,30007externally
β οΈ Missing Security Features:
- No
securityContext(run as non-root)- No resource limits
- No probes
- No read-only root filesystem
Hereβs how to harden this Deployment:
# secure-apache-enhanced.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
# π SECURITY: Run as non-root user
securityContext:
runAsNonRoot: true
runAsUser: 1000 # β Must match image user
fsGroup: 2000
containers:
- name: nginx
image: lovelearnlinux/secureapache:v1 # β Official NGINX image
ports:
- containerPort: 8080
# π SECURITY: Container-level hardening
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 5
---
# ClusterIP Service (internal)
apiVersion: v1
kind: Service
metadata:
name: secure-svc
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
---
# NodePort Service (external)
apiVersion: v1
kind: Service
metadata:
name: secure-svc-np
spec:
type: NodePort
selector:
app: nginx
ports:
- port: 8080
targetPort: 8080
nodePort: 30007 # Optional: fixed port
β Key Security Enhancements:
runAsNonRoot: trueβ prevents root accessreadOnlyRootFilesystem: trueβ blocks runtime writesdrop ALL capabilitiesβ minimal Linux capabilities- Resource limits β prevents DoS
- Probes β ensures health
# Save as secure-apache-enhanced.yaml
kubectl apply -f secure-apache-enhanced.yaml
# Verify Pods
kubectl get pods -l app=nginx
# Start debug Pod
kubectl run debug --image=curlimages/curl -it --rm -- sh
# Inside shell:
curl <http://secure-svc>
# β
Should return Apache welcome page
exit
π‘ In k3s, NodePort is accessible on any nodeβs IP.
# Get k3s node IPs
kubectl get nodes -o wide
# From your laptop (or any machine with network access to k3s nodes):
curl http://<NODE-IP>:30007
# Example: curl <http://192.168.1.10:30007>
# β
Should return Apache welcome page
π Note:
- If you omit
nodePort, k3s assigns a random port in30000-32767- Fixed
nodePortis useful for firewall rules