initial commit
This commit is contained in:
commit
a72c45da16
|
@ -0,0 +1,26 @@
|
||||||
|
# Kube Auth
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- Have `kubectl` working against minikube
|
||||||
|
|
||||||
|
## Theory
|
||||||
|
|
||||||
|
- https://kubernetes.io/docs/admin/authentication/
|
||||||
|
- https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/
|
||||||
|
|
||||||
|
## Practice
|
||||||
|
|
||||||
|
- Figure out how kubernetes authentication works
|
||||||
|
|
||||||
|
Try by running the following commands:
|
||||||
|
|
||||||
|
`kubectl config view`
|
||||||
|
`kubectl cluster-info`
|
||||||
|
`kubectl proxy`
|
||||||
|
`minikube dashboard --url`
|
||||||
|
`kube auth can-i [verb] [resource]`
|
||||||
|
|
||||||
|
Try figuring out what command line flags the minikube
|
||||||
|
server was started with and use that to figure out what
|
||||||
|
authentication methods does it support.
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Network Policies
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- Have `kubectl` working against minikube
|
||||||
|
|
||||||
|
# Setup
|
||||||
|
|
||||||
|
1. Bring up a new redis server in the `default` namespace
|
||||||
|
`kubectl create deployment --image=redis:alpine redis`
|
||||||
|
2. Create a new namespace:
|
||||||
|
`kubectl create namespace attacker`
|
||||||
|
3. Bring up a new Alpine server
|
||||||
|
`kubectl create -f alpine.yml`
|
||||||
|
4. SSH to the attacker pod
|
||||||
|
`kubectl exec -it attacker-pod -n attacker`
|
||||||
|
|
||||||
|
# Break it
|
||||||
|
|
||||||
|
## Get the IP Address of the Redis Pod
|
||||||
|
|
||||||
|
`kubectl describe pod [pod-name]`
|
||||||
|
|
||||||
|
## Install redis on the alpine server
|
||||||
|
|
||||||
|
`apk update && apk add redis`
|
||||||
|
|
||||||
|
## Try accessing redis server
|
||||||
|
|
||||||
|
# Fix it
|
|
@ -0,0 +1,10 @@
|
||||||
|
# CIS Benchmark
|
||||||
|
|
||||||
|
1. Get the PDF from https://goo.gl/437pqY
|
||||||
|
2. Understand how it works
|
||||||
|
|
||||||
|
# Run it
|
||||||
|
|
||||||
|
1. Read through https://github.com/aquasecurity/kube-bench
|
||||||
|
2. `minikube ssh`
|
||||||
|
3. `docker run --rm -v `pwd`:/host aquasec/kube-bench:latest`
|
|
@ -0,0 +1,5 @@
|
||||||
|
# kubernetes-security
|
||||||
|
|
||||||
|
Workshop material for the talk.
|
||||||
|
|
||||||
|
**Open https://k8s.bb8.fun for the slides.**
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: attacker-pod
|
||||||
|
namespace: attacker
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: redis:alpine
|
||||||
|
command:
|
||||||
|
- sleep
|
||||||
|
- "3600"
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
name: attacker-pod
|
||||||
|
restartPolicy: Always
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: alpine
|
||||||
|
namespace: attacker
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: alpine:3.6
|
||||||
|
command:
|
||||||
|
- sleep
|
||||||
|
- "3600"
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
name: alpine
|
||||||
|
restartPolicy: Always
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: block-redis-ingress
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: redis
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
ingress:
|
||||||
|
egress:
|
Loading…
Reference in New Issue