项目作者: cyberhades

项目描述 :
Hardening Kubernetes deployments
高级语言: HTML
项目地址: git://github.com/cyberhades/hardening-k8s-containers.git
创建时间: 2020-02-08T22:30:57Z
项目社区:https://github.com/cyberhades/hardening-k8s-containers

开源协议:

下载


Intentionally Vulnerable Note Taking Application

This repository contains a very simple and vulnerable application used to demonstrate the differences between deploying this application with the default settings to a Kubernetes cluster, versus adding some extra security settings that WILL NOT fix the application’s vulnerabilities, but will restrain an attacker from doing bad things.

To try this yourself, you need access to a Kubernetes cluster, because this application is highly vulnerable you do not want to deploy this in a real cluster unless such cluster is properly isolated.

Minikube

If you want to use minikube, you just can run the provided init.sh script or go step by step:

Start minikube with at least cni plugin

  1. minikube start --extra-config=apiserver.authorization-mode=RBAC --network-plugin=cni --memory=4096 --vm-driver=virtualbox --kubernetes-version v1.15.0

Install Cilium cni plugin

  1. minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf
  2. kubectl create -f https://raw.githubusercontent.com/cilium/cilium/1.6.5/install/kubernetes/quick-install.yaml

Change your docker context to the one in minikube, otherwise you’ll need to push the docker images to a registry

  1. eval $(minikube docker-env)

Build your “default” docker image

  1. docker build -t notes:v1 .

Build the second docker image with some hardening configuration settings

  1. docker build -t notes:v2 -f Dockerfile.v2 .

Deploy to minikube

  1. kubectl apply -f kube/v1-deploy.yaml -f kube/v1-service.yaml -f kube/v2-deploy.yaml -f kube/v2-service.yaml

Have fun!