initial commit

2018-04-21 10:04:11 +05:30 · 2018-04-21 10:04:11 +05:30 · a72c45da16
commit a72c45da16
7 changed files with 113 additions and 0 deletions
--- a/01-AUTH.md
+++ b/01-AUTH.md
@ -0,0 +1,26 @@
+# Kube Auth
+
+## Requirements
+
+- Have `kubectl` working against minikube
+
+## Theory
+
+- https://kubernetes.io/docs/admin/authentication/
+- https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/
+
+## Practice
+
+- Figure out how kubernetes authentication works
+
+Try by running the following commands:
+
+`kubectl config view`
+`kubectl cluster-info`
+`kubectl proxy`
+`minikube dashboard --url`
+`kube auth can-i [verb] [resource]`
+
+Try figuring out what command line flags the minikube
+server was started with and use that to figure out what
+authentication methods does it support.
--- a/02-NETPOL.md
+++ b/02-NETPOL.md
@ -0,0 +1,30 @@
+# Network Policies
+
+## Requirements
+
+- Have `kubectl` working against minikube
+
+# Setup
+
+1. Bring up a new redis server in the `default` namespace  
+`kubectl create deployment --image=redis:alpine redis`
+2. Create a new namespace:  
+`kubectl create namespace attacker`
+3. Bring up a new Alpine server  
+`kubectl create -f alpine.yml`
+4. SSH to the attacker pod  
+`kubectl exec -it attacker-pod -n attacker`
+
+# Break it
+
+## Get the IP Address of the Redis Pod
+
+`kubectl describe pod [pod-name]`
+
+## Install redis on the alpine server
+
+`apk update && apk add redis`
+
+## Try accessing redis server
+
+# Fix it
--- a/03-CIS.md
+++ b/03-CIS.md
@ -0,0 +1,10 @@
+# CIS Benchmark
+
+1. Get the PDF from https://goo.gl/437pqY
+2. Understand how it works
+
+# Run it
+
+1. Read through https://github.com/aquasecurity/kube-bench
+2. `minikube ssh`
+3. `docker run --rm -v `pwd`:/host aquasec/kube-bench:latest`
--- a/README.md
+++ b/README.md
@ -0,0 +1,5 @@
+# kubernetes-security
+
+Workshop material for the talk.
+
+**Open https://k8s.bb8.fun for the slides.**
--- a/resources/alpine.yml
+++ b/resources/alpine.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: attacker-pod
+  namespace: attacker
+spec:
+  containers:
+  - image: redis:alpine
+    command:
+      - sleep
+      - "3600"
+    imagePullPolicy: IfNotPresent
+    name: attacker-pod
+  restartPolicy: Always
--- a/resources/busybox.yml
+++ b/resources/busybox.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: alpine
+  namespace: attacker
+spec:
+  containers:
+  - image: alpine:3.6
+    command:
+      - sleep
+      - "3600"
+    imagePullPolicy: IfNotPresent
+    name: alpine
+  restartPolicy: Always
--- a/resources/netpol.yml
+++ b/resources/netpol.yml
@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: block-redis-ingress
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      app: redis
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  egress: