GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cloudogu → k8s-security-demos

cloudogu / k8s-security-demos

Licence: MIT license
Demos for several kubernetes security features

Programming Languages

shell
77523 projects
HCL
1544 projects

Labels

kubernetessecurityterraformgkerbacpspgoogle-kubernetes-enginepodsecuritypoliciesnetwork-policysecurity-contextpod-security-policynetpol

Projects that are alternatives of or similar to k8s-security-demos

gke-anthos-holistic-demo
This repository guides you through deploying a private GKE cluster and provides a base platform for hands-on exploration of several GKE related topics which leverage or integrate with that infrastructure. After completing the exercises in all topic areas, you will have a deeper understanding of several core components of GKE and GCP as configure…
Stars: ✭ 55 (-8.33%)
Mutual labels:  gke, rbac
gke-rbac-demo
This project covers two use cases for RBAC within a Kubernetes Engine cluster. First, assigning different permissions to user personas. Second, granting limited API access to an application running within your cluster. Since RBAC's flexibility can occasionally result in complex rules, you will also perform common steps for troubleshooting RBAC a…
Stars: ✭ 138 (+130%)
Mutual labels:  gke, rbac
rbac-tool
Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query
Stars: ✭ 546 (+810%)
Mutual labels:  rbac, podsecuritypolicies
laravel-php-k8s
Just a simple port of renoki-co/php-k8s for easier access in Laravel
Stars: ✭ 71 (+18.33%)
Mutual labels:  gke, google-kubernetes-engine
k8s-digester
Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.
Stars: ✭ 65 (+8.33%)
Mutual labels:  gke, google-kubernetes-engine
gke-rbac-walkthrough
A walk through of RBAC on a Google GKE Kubernetes 1.6 cluster.
Stars: ✭ 64 (+6.67%)
Mutual labels:  gke, rbac
PSP-Inventory
Inventorise your environment through PowerShell
Stars: ✭ 28 (-53.33%)
Mutual labels:  psp
terraform-google-kubernetes-cluster
GKE Kubernetes cluster with node pool submodule
Stars: ✭ 13 (-78.33%)
Mutual labels:  gke
migrate-for-anthos-gke
Migrate to Containers samples and best practices
Stars: ✭ 33 (-45%)
Mutual labels:  gke
pandora
基于RBAC的自动化部署平台
Stars: ✭ 43 (-28.33%)
Mutual labels:  rbac
gke-datadog-demo
This project demonstrates how a third party solution, like Datadog, can be used to monitor a Kubernetes Engine cluster and its workloads. Using the provided manifest, you will install Datadog and a simple nginx workload into your cluster. The Datadog agents will be configured to monitor the nginx workload, and ship metrics to your own Datadog ac…
Stars: ✭ 21 (-65%)
Mutual labels:  gke
express-objection-starter
an opinionated, production-ready, isomorphic express/knex/objection starter with centralized configuration
Stars: ✭ 19 (-68.33%)
Mutual labels:  rbac
build-a-platform-with-krm
Build a platform with the Kubernetes resource model!
Stars: ✭ 55 (-8.33%)
Mutual labels:  gke
spelunky-psp
Spelunky remake for Sony PSP.
Stars: ✭ 94 (+56.67%)
Mutual labels:  psp
iam
🆔🛂🉑 Identity and Access Management System
Stars: ✭ 20 (-66.67%)
Mutual labels:  rbac
tp5-rbac
一个tp5的RBAC库,使用composer来安装和更新你的项目对于RBAC的需求。同时支持jwt方式的验证。包含了RBAC需要的数据表的数据迁移,能够很方便的开始开发。
Stars: ✭ 69 (+15%)
Mutual labels:  rbac
osrm-backend-k8s
Open Source Routing Machine (OSRM) osrm-backend for Kubernetes on Google Container Engine (GKE).
Stars: ✭ 34 (-43.33%)
Mutual labels:  gke
kubernetes-100days
Notes from 100 days with Kubernetes
Stars: ✭ 32 (-46.67%)
Mutual labels:  google-kubernetes-engine
Gatekeeper
Lightweight library in C# for implementing roles-based access control (RBAC). With Gatekeeper, you can define users, roles, resources, and permissions, and authorize requests.
Stars: ✭ 25 (-58.33%)
Mutual labels:  rbac
UMS
User management scaffolding, integration: User password login, mobile login, one-click login, OAuth2 login(Based on JustAuth), jwt, validate code(image, sms, sliderCode), RBAC, Support multi-tenancy, SLF4J-MDC, sign etc...
Stars: ✭ 24 (-60%)
Mutual labels:  rbac
View All Similar Projects ➔

Kubernetes Security Demos

Demos for several kubernetes security features

Overview

Initially, these demos were developed during the preparation for some talks on Kubernetes appOps Security and our K8s application security training.

See also our series of blog posts on the topic.

Tested to run on Google Kubernetes Engine (GKE) with a local Linux machine.
Should also work on Mac.
Should run on all clusters that support NetworkPolicies and PodSecurityPolicies.

  1. Role Based Access Controll (RBAC) - RBAC has now been default for years. A showcase for the downsides of ABAC seems obsolete. If you're interested check git history.
  2. Network Policies
  3. Security Context
  4. Pod Security Policies

Running the demos

Each demo is contained in its own sub folder, where each contains a

  • apply.sh that deploys the applications required for the demos and
  • README.md that contains the steps of the demo

Note that the scripts also create entries to your /etc/hosts.

All Demos run inside the same cluster. Before running make sure to have your kubeconfig set to a non-productive cluster. If you want, you can set one up on your GKE account using the script inside this repo. See Setting up the clusters.

Credentials

If not otherwise stated, the login credentials for the webapps are

  • User: admin
  • Password: 12345

It's a demo after all! 😉

Demo recordings

Security Context

asciicast

Recorded live at heiseDevSec 2020.

Blog Posts

The examples evolved further while working on an article series called "Kubernetes AppOps Security" published in German Magazin JavaSPEKTRUM. Both English translation and German original can be found on the Cloudogu Blog.

Setting up the clusters

This demos should run on most kubernetes clusters that have support for NetworkPolicies and PodSecurityPolicies.

This repo also features setting up a defined environment Google Kubernetes engine. You can set it up using createCluster.sh.
It uses terraform to roll out the clusters. If you prefer a bash-only variant, check git history.

In order to use the script

  • set your GKE ZONE and PROJECT in config.sh
    (alternatively, you can set these properties via env vars).
    Note that you can also set CLUSTER_VERSION (like 1.11) and MACHINE_TYPE (like n1-standard-2). From time to time GKE drops support for older cluster versions, so you might need to set a newer one, if the one in config.sh is no longer supported at the time of execution.
  • set up a service account on GKE that allows terraform to do the setup
source config.sh
SA=terraform-cluster

# Create SA
gcloud iam service-accounts create ${SA} --display-name ${SA} --project ${PROJECT}

# Authorize (maybe roles/container.admin is enough?) 
gcloud projects add-iam-policy-binding ${PROJECT} \
  --member serviceAccount:${SA}@${PROJECT}.iam.gserviceaccount.com --role=roles/editor

# Export credentials
gcloud iam service-accounts keys create \
  --iam-account ${SA}@${PROJECT}.iam.gserviceaccount.com terraform/account.json
  • Have terraform installed (should work with 0.12 and 0.13)
  • Call ./create Cluster.sh
  • Terraform will ask for confirmation before executing.
    If you don't want that, call ./createCluster.sh -auto-approve

Deleting clusters

You can delete the cluster and entries to /etc/hosts once you're done using the ./delete-clusters.sh script.

Costs

For just a quick create, demo, delete action the cost should be < 10$. The total infra cost for initially creating these demos was about 10$.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].