Running CTFs and Security Trainings with OWASP Juice Shop is usually quite tricky, Juice Shop just isn't intended to be used by multiple users at a time. Instructing everybody how to start Juice Shop on their own machine works ok, but takes away too much valuable time.
MultiJuicer gives you the ability to run separate Juice Shop instances for every participant on a central kubernetes cluster, to run events without the need for local Juice Shop instances.
What it does:
- dynamically create new Juice Shop instances when needed
- runs on a single domain, comes with a LoadBalancer sending the traffic to the participants Juice Shop instance
- backup and auto apply challenge progress in case of Juice Shop container restarts
- cleanup old & unused instances automatically
Installation
MultiJuicer runs on kubernetes, to install it you'll need helm.
helm repo add multi-juicer https://iteratec.github.io/multi-juicer/
helm install multi-juicer multi-juicer/multi-juicerSee production notes for a checklist of values you'll likely need to configure before using MultiJuicer in proper events.
Installation Guides for specific Cloud Providers / Environments
Generally MultiJuicer runs on pretty much any kubernetes cluster, but to make it easier for anybody who is new to kubernetes we got some guides on how to setup a kubernetes cluster with MultiJuicer installed for some specific Cloud providers.
Customizing the Setup
You got some options on how to setup the stack, with some option to customize the JuiceShop instances to your own liking. You can find the default config values under: helm/multi-juicer/values.yaml
Download & Save the file and tell helm to use your config file over the default by running:
helm install -f values.yaml multi-juicer ./multi-juicer/helm/multi-juicer/Deinstallation
helm delete multi-juicerFAQ
How much compute resources will the cluster require?
To be on the safe side calculate with:
- 1GB memory & 1CPU overhead, for the balancer & co
- 200MB & 0.2CPU * number of participants, for the individual JuiceShop Instances
The numbers above reflect the default resource limits. These can be tweaked, see: Customizing the Setup
How many users can MultiJuicer handle?
There is no real fixed limit. (Even thought you can configure one
Why a custom LoadBalancer?
There are some special requirements which we didn't find to be easily solved with any pre build load balancer:
- Restricting the number of users for a deployment to only the members of a certain team.
- The load balancers cookie must be save and not easy to spoof to access another instance.
- Handling starting of new instances.
If you have awesome ideas on how to overcome these issues without a custom load balancer, please write us, we'd love to hear from you!
Why a separate kubernetes deployment for every team?
There are some pretty good reasons for this:
- The ability delete the instances of a team separately. Scaling down safely, without removing instances of active teams, is really tricky with a scaled deployment. You can only choose the desired scale not which pods to keep and which to throw away.
- To ensure that pods are still properly associated with teams after a pod gets recreated. This is a non problem with separate deployment and really hard with scaled deployments.
- The ability to embed the team name in the deployment name. This seems like a stupid reason but make debugging SOOO much easier, with just using
kubectl.
How to manage JuiceShop easily using kubectl?
You can list all JuiceShops with relevant information using the custom-columns feature of kubectl. You'll need to down load the juiceShop.txt from the repository first:
kubectl get -l app=juice-shop -o custom-columns-file=juiceShop.txt deploymentsDid somebody actually ask any of these questions?
No
Talk with Us!
You can reach us in the #project-juiceshop channel of the OWASP Slack Workspace. We'd love to hear any feedback or usage reports you got. If you are not already in the OWASP Slack Workspace, you can join via this link