Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CKS - Problems
PROBLEM 1
===============================================================
https://www.katacoda.com/courses/ubuntu/playground
curl -sfL https://get.k3s.io | sh -
kubectl run demo1 --image=nginx
kubectl create ns dev
kubectl run demo2 --image=nginx -n dev
kubectl get pods -owide
kubectl exec demo2 -n dev -- curl 10.42.0.6
NP:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
kubectl exec demo2 -n dev -- curl 10.42.0.6
===============================================================
PROBLEM 2
===============================================================
$ kubectl run demo1 --image=nginx
pod/demo1 created
$ kubectl create ns red
namespace/red created
$ kubectl run demo2 --image=nginx -n red
pod/demo2 created
policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: red
spec:
podSelector:
matchLabels:
run: demo2
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
ns: default
- podSelector:
matchLabels:
demo: test
kubectl exec -it demo1 -- curl 10.42.0.9 (ip of demo2 in red namespace)
kubectl label ns default ns=default
namespace/default labeled
kubectl exec -it demo1 -- curl 10.42.0.9 (ip of demo2 in red namespace)
kubectl run demo3 --image=nginx -n red
kubectl exec -it demo3 -n red -- curl 10.42.0.9
kubectl label pod demo3 demo=test -n red
kubectl exec -it demo3 -n red -- curl 10.42.0.9
===============================================================
PROBLEM 3
===============================================================
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: deny
annotations:
container.apparmor.security.beta.kubernetes.io/deny: localhost/deny_write
spec:
containers:
- name: deny
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
Apparmor profile
#include <tunables/global>
profile deny_write flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
commands:
clear
cat /sys/module/apparmor/parameters/enabled
aa-status | grep deny
apparmor_parser -q aa
aa-status | grep deny
kubectl create -f pod.yaml
kubectl get pods
kubectl exec deny -- touch /tmp/saiyam
kubectl exec deny -- cat /proc/1/attr/current
===============================================================
PROBLEM 4
===============================================================
curl -sfL https://get.k3s.io | sh -
kubectl create ns demo
kubectl create sa sam -n demo
kubectl create clusterrole cr --verb=get,list,watch,delete --resource=secrets,pods,deployments
kubectl create rolebinding super --serviceaccount=demo:sam -n demo --clusterrole=cr
kubectl run demo --image=nginx --serviceaccount=sam -n demo
kubectl edit clusterrole cr
kubectl create role rr --verb=create --resource=deployments -n demo
kubectl create rolebinding limited --serviceaccount=demo:sam --role=rr -n demo
TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount sam -n demo| grep -i Tokens | awk '{print $2}')" -n demo | grep token: | awk '{print $2}')
kubectl config set-credentials test-user --token=$TOKEN
kubectl config set-context demo --cluster=default --user=test-user
kubectl config use-context demo
===============================================================
PROBLEM 5
===============================================================
curl -sfL https://get.k3s.io | sh -
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh |sh -s -- -b /usr/local/bin
kubectl run p1 --image=nginx
kubectl run p2 --image=httpd
kubectl run p3 --image=alpine -- sleep 1000
kubectl get pods -o=jsonpath='{range.items[*]}{"\n"}{.metadata.name}{":\t"}{range.spec.containers[*]}{.image}{", "}{end}{end}' | sort
trivy image --severity HIGH,CRITICAL nginx
trivy image --severity HIGH,CRITICAL httpd
trivy image --severity HIGH,CRITICAL alpine
echo p1 $'\n'p2 > /opt/badimages.txt
===============================================================
PROBLEM 6
===============================================================
spec:
containers:
- --audit-policy-file=/etc/kubernetes/audit/policy.yaml
- --audit-log-path=/etc/kubernetes/audit/logs/audit.log
- --audit-log-maxsize=3
- --audit-log-maxbackup=2
volumes:
- name: audit-log
hostPath:
path: /etc/kubernetes/audit/logs/audit.log
type: FileOrCreate
- name: audit
hostPath:
path: /etc/kubernetes/audit/policy.yaml
type: File
volumeMounts:
- mountPath: /etc/kubernetes/audit/policy.yaml
name: audit
readOnly: true
- mountPath: /etc/kubernetes/audit/logs/audit.log
name: audit-log
readOnly: false
Copy Policy from the documentation - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
---------
- level: RequestResponse
resources:
- group: ""
resources: ["deployments"]
===============================================================
PROBLEM 7
===============================================================
kubectl drain controlplane --ignore-daemonsets
apt-get install kubeadm=1.19.0-00
kubeadm version
kubeadm upgrade apply v1.19.0
apt-get install kubelet=1.19.0-00 kubectl=1.19.0-00
sudo systemctl daemon-reload
sudo systemctl restart kubelet
kubectl uncordon controlplane
kubectl drain node01 --ignore-daemonsets
apt-get update && apt-get install -y kubeadm=1.19.0-00
kubeadm upgrade node
apt-get install -y kubelet=1.19.0-00 kubectl=1.19.0-00
sudo systemctl daemon-reload
sudo systemctl restart kubelet
kubectl uncordon node01
===============================================================
PROBLEM 8
===============================================================
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest master
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest node
===============================================================
PROBLEM 9
===============================================================
vi /etc/containerd/config.toml
[plugins.cri.containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
#RuntimeClass
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: demo
handler: runc
#Pod
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
runtimeClassName: demo
containers:
- name: test
image: nginx
===============================================================
PROBLEM 10
===============================================================
https://falco.org/docs/rules/supported-fields/
helm repo add falcosecurity
helm repo update
helm install falco falcosecurity/falco
kubectl get pods
kubectl get cm
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
apt-get update -y
apt-get -y install linux-headers-$(uname -r)
apt-get install -y falco
docker run --name ubuntu_bash --rm -i -t ubuntu bash
cat /var/log/syslog | grep falco | grep ubuntu
output: "[%evt.time][%container.id] [%container.name]"
docker run --name ubuntu_bash --rm -i -t ubuntu bash
echo "[04:07:39.036002997][46c66499e2ec] [ubuntu_bash]" >> /tmp/falcologs
===============================================================
PROBLEM 11
===============================================================
kubectl create secret generic database --from-literal=username=sammy --from-literal=password=demo123
apiVersion: v1
kind: Pod
metadata:
name: demo
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: sec-vol
mountPath: "/etc/sec"
readOnly: true
volumes:
- name: sec-vol
secret:
secretName: database
kubectl exec demo -- ls /etc/sec/
kubectl exec demo -- cat /etc/sec/username
kubectl exec demo -- cat /etc/sec/password
kubectl get secret database -oyaml
echo "ZGVtbzEyMw==" | base64 -d
echo demo123 >> /tmp/sec
echo "c2FtbXk=" | base64 -d
echo sammy >> /tmp/sec
cat /tmp/sec
kubectl exec demo -- cat /etc/sec/username >> /tmp/sec
kubectl exec demo -- cat /etc/sec/password >> /tmp/sec
echo "$(kubectl exec -it demo -- cat /run/secrets/kubernetes.io/serviceaccount/token)" > /tmp/token
===============================================================
PROBLEM 12
===============================================================
kubectl create ns test
kubectl create sa sam -n test
kubectl create role psp --verb=use --resource=podsecuritypolicy --resource-name=demo -n test
kubectl create -n test rolebinding psp-binding --role=psp --serviceaccount=test:sam
===============================================================
PROBLEM 13
===============================================================
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: nginx
image: nginx
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: run
mountPath: /var/run.
- name: log
mountPath: /var/log/nginx
- name: cache
mountPath: /var/cache/nginx
volumes:
- name: run
emptyDir: {}
- name: log
emptyDir: {}
- name: cache
emptyDir: {}
kubectl exec security-context-demo -- touch /etc/test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment