Demonstrating secure and non secure kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.

The manifests in this respository, demonstrate how to take a basic NGINX kubernetes deployment with many security issues, and use Zscaler Posture Control (ZPC) to produce a fully compliant manifest to acheive the same NGINX deployment.

⚠️ DO NOT deploy this template examples in a production environment or alongside any sensitive resources.

⚠️ All passwords in this repo are used as an example and should not be used in production

Using kustomize overlays (environments) we see both forms of these configurations here:

• kustomize/base - Our base manifests, starting manifests, which are insecure.

• kustomize/overlays/test - A few security updates, but still a lot of non compliance.

• kustomize/overlays/dev - An example of an empty overlay, produces the same results as base when merged with kustomize build

• kustomize/overlays/prod - Fully compliant additions to base, this overlay renders a clean bill of health when scanned.

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Zscaler-BD-SA Team builds and maintains this repository to encourage the adoption of policy-as-code.

If you need direct support you can contact us at zscaler-partner-labs@z-bd.com.

• zpc-aws-cfn-iac-scanning - Vulnerable by design Cloudformation template
• zpc-terraform-iac-scanning - Vulnerable by design Terraform stack
• zpc-kustomize-iac-scanning - Vulnerable by design kustomize deployment