From a72c45da16fe926ec1c4e467e92b892686e2cf5d Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 21 Apr 2018 10:04:11 +0530 Subject: [PATCH] initial commit --- 01-AUTH.md | 26 ++++++++++++++++++++++++++ 02-NETPOL.md | 30 ++++++++++++++++++++++++++++++ 03-CIS.md | 10 ++++++++++ README.md | 5 +++++ resources/alpine.yml | 14 ++++++++++++++ resources/busybox.yml | 14 ++++++++++++++ resources/netpol.yml | 14 ++++++++++++++ 7 files changed, 113 insertions(+) create mode 100644 01-AUTH.md create mode 100644 02-NETPOL.md create mode 100644 03-CIS.md create mode 100644 README.md create mode 100644 resources/alpine.yml create mode 100644 resources/busybox.yml create mode 100644 resources/netpol.yml diff --git a/01-AUTH.md b/01-AUTH.md new file mode 100644 index 0000000..2408e87 --- /dev/null +++ b/01-AUTH.md @@ -0,0 +1,26 @@ +# Kube Auth + +## Requirements + +- Have `kubectl` working against minikube + +## Theory + +- https://kubernetes.io/docs/admin/authentication/ +- https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/ + +## Practice + +- Figure out how kubernetes authentication works + +Try by running the following commands: + +`kubectl config view` +`kubectl cluster-info` +`kubectl proxy` +`minikube dashboard --url` +`kube auth can-i [verb] [resource]` + +Try figuring out what command line flags the minikube +server was started with and use that to figure out what +authentication methods does it support. \ No newline at end of file diff --git a/02-NETPOL.md b/02-NETPOL.md new file mode 100644 index 0000000..0001814 --- /dev/null +++ b/02-NETPOL.md @@ -0,0 +1,30 @@ +# Network Policies + +## Requirements + +- Have `kubectl` working against minikube + +# Setup + +1. Bring up a new redis server in the `default` namespace +`kubectl create deployment --image=redis:alpine redis` +2. Create a new namespace: +`kubectl create namespace attacker` +3. Bring up a new Alpine server +`kubectl create -f alpine.yml` +4. SSH to the attacker pod +`kubectl exec -it attacker-pod -n attacker` + +# Break it + +## Get the IP Address of the Redis Pod + +`kubectl describe pod [pod-name]` + +## Install redis on the alpine server + +`apk update && apk add redis` + +## Try accessing redis server + +# Fix it \ No newline at end of file diff --git a/03-CIS.md b/03-CIS.md new file mode 100644 index 0000000..9874b3e --- /dev/null +++ b/03-CIS.md @@ -0,0 +1,10 @@ +# CIS Benchmark + +1. Get the PDF from https://goo.gl/437pqY +2. Understand how it works + +# Run it + +1. Read through https://github.com/aquasecurity/kube-bench +2. `minikube ssh` +3. `docker run --rm -v `pwd`:/host aquasec/kube-bench:latest` \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..82ebb76 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# kubernetes-security + +Workshop material for the talk. + +**Open https://k8s.bb8.fun for the slides.** \ No newline at end of file diff --git a/resources/alpine.yml b/resources/alpine.yml new file mode 100644 index 0000000..2f63c42 --- /dev/null +++ b/resources/alpine.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: attacker-pod + namespace: attacker +spec: + containers: + - image: redis:alpine + command: + - sleep + - "3600" + imagePullPolicy: IfNotPresent + name: attacker-pod + restartPolicy: Always \ No newline at end of file diff --git a/resources/busybox.yml b/resources/busybox.yml new file mode 100644 index 0000000..4442eca --- /dev/null +++ b/resources/busybox.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: alpine + namespace: attacker +spec: + containers: + - image: alpine:3.6 + command: + - sleep + - "3600" + imagePullPolicy: IfNotPresent + name: alpine + restartPolicy: Always \ No newline at end of file diff --git a/resources/netpol.yml b/resources/netpol.yml new file mode 100644 index 0000000..7cb309c --- /dev/null +++ b/resources/netpol.yml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: block-redis-ingress + namespace: default +spec: + podSelector: + matchLabels: + app: redis + policyTypes: + - Ingress + - Egress + ingress: + egress: \ No newline at end of file