initial commit
This commit is contained in:
commit
a72c45da16
|
@ -0,0 +1,26 @@
|
|||
# Kube Auth
|
||||
|
||||
## Requirements
|
||||
|
||||
- Have `kubectl` working against minikube
|
||||
|
||||
## Theory
|
||||
|
||||
- https://kubernetes.io/docs/admin/authentication/
|
||||
- https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/
|
||||
|
||||
## Practice
|
||||
|
||||
- Figure out how kubernetes authentication works
|
||||
|
||||
Try by running the following commands:
|
||||
|
||||
`kubectl config view`
|
||||
`kubectl cluster-info`
|
||||
`kubectl proxy`
|
||||
`minikube dashboard --url`
|
||||
`kube auth can-i [verb] [resource]`
|
||||
|
||||
Try figuring out what command line flags the minikube
|
||||
server was started with and use that to figure out what
|
||||
authentication methods does it support.
|
|
@ -0,0 +1,30 @@
|
|||
# Network Policies
|
||||
|
||||
## Requirements
|
||||
|
||||
- Have `kubectl` working against minikube
|
||||
|
||||
# Setup
|
||||
|
||||
1. Bring up a new redis server in the `default` namespace
|
||||
`kubectl create deployment --image=redis:alpine redis`
|
||||
2. Create a new namespace:
|
||||
`kubectl create namespace attacker`
|
||||
3. Bring up a new Alpine server
|
||||
`kubectl create -f alpine.yml`
|
||||
4. SSH to the attacker pod
|
||||
`kubectl exec -it attacker-pod -n attacker`
|
||||
|
||||
# Break it
|
||||
|
||||
## Get the IP Address of the Redis Pod
|
||||
|
||||
`kubectl describe pod [pod-name]`
|
||||
|
||||
## Install redis on the alpine server
|
||||
|
||||
`apk update && apk add redis`
|
||||
|
||||
## Try accessing redis server
|
||||
|
||||
# Fix it
|
|
@ -0,0 +1,10 @@
|
|||
# CIS Benchmark
|
||||
|
||||
1. Get the PDF from https://goo.gl/437pqY
|
||||
2. Understand how it works
|
||||
|
||||
# Run it
|
||||
|
||||
1. Read through https://github.com/aquasecurity/kube-bench
|
||||
2. `minikube ssh`
|
||||
3. `docker run --rm -v `pwd`:/host aquasec/kube-bench:latest`
|
|
@ -0,0 +1,5 @@
|
|||
# kubernetes-security
|
||||
|
||||
Workshop material for the talk.
|
||||
|
||||
**Open https://k8s.bb8.fun for the slides.**
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: attacker-pod
|
||||
namespace: attacker
|
||||
spec:
|
||||
containers:
|
||||
- image: redis:alpine
|
||||
command:
|
||||
- sleep
|
||||
- "3600"
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: attacker-pod
|
||||
restartPolicy: Always
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: alpine
|
||||
namespace: attacker
|
||||
spec:
|
||||
containers:
|
||||
- image: alpine:3.6
|
||||
command:
|
||||
- sleep
|
||||
- "3600"
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: alpine
|
||||
restartPolicy: Always
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: block-redis-ingress
|
||||
namespace: default
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: redis
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
ingress:
|
||||
egress:
|
Loading…
Reference in New Issue