Hardening a sketchy containerized application one step at a time

Overview

Road to Secure Kubernetes

Hardening a containerized application one step at a time

This repository hosts a tutorial on security hardening a containerized workload in Kubernetes. Its a self-guided, hands on guide from the "default" settings we see in Kubernetes to a relatively well configured workload. The mitigations described are by no means exhaustive but show a lot of low hanging fruit anyone can take advantage of to harden a workload.

Prerequistes

To run through the tutorial you'll need

  • Docker
  • kind to run a Kubernetes cluster on your laptop with Docker
  • kubectl the Kubernetes CLI to interact with the cluster
  • helm to install Cilium in our cluster

Before you begin, install the kind cluster as follows:

$ cd cluster

# Install kind cluster
$ kind create cluster --config config.yaml

# Install Cilium into kind cluster
$ helm repo add cilium https://helm.cilium.io/
$ helm install cilium cilium/cilium --version 1.9.10 \
   --namespace kube-system \
   --set nodeinit.enabled=true \
   --set kubeProxyReplacement=partial \
   --set hostServices.enabled=false \
   --set externalIPs.enabled=true \
   --set nodePort.enabled=true \
   --set hostPort.enabled=true \
   --set bpf.masquerade=false \
   --set image.pullPolicy=IfNotPresent \
   --set ipam.mode=kubernetes

# Wait to be installed
$ kubectl wait --for=condition=available deployment.apps/cilium-operator -n kube-system

# Install Nginx Ingress controller
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
$ kubectl wait --for=condition=available deployment.apps/ingress-nginx-controller -n ingress-nginx

Once you can run curl http://localhost and get back a 404 like this one from Nginx, you're ready to start

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

How-to

The tutorial shows the step by step progression of an application configuration. Each configuration or step has a corresponding git tag from 1 to 10. Start at 1 and move from tag to tag. For every change there is a detailed explaination of whats been changed and what the change mitigates.

  • Step 1 is our starting point. If I was to hazard a guess, about 95% of Kubernetes application are deployed in this state. Its a functioning application with some vulnerabilities as you'll see.
  • Step 2 uses a non-root user in the container
  • Step 3 leverages read-only filesystems
  • Step 4 adds network policies
  • Step 5 uses a scratch container
  • Step 6 adds resource requests and limits
  • Step 7 drops linux capabilities
  • Step 8 disables privilege escalation
  • Step 9 adds seccomp profile
  • Step 10 removes service account credentials

Navigate to each tag to learn more!

Owner
Nathan Smith
Self-hosting and infrastructure enthusiast. Background in statistical physics and high performance computing
Nathan Smith
Develop sample controller step by step

Develop sample controller step by step

Naka Masato 0 Dec 23, 2021
Opinionated platform that runs on Kubernetes, that takes you from App to URL in one step.

Epinio Opinionated platform that runs on Kubernetes, that takes you from App to URL in one step. Contents Epinio Contents What problem does Epinio sol

Julien ADAMEK 1 Jun 27, 2022
Kubernetes is an open source system for managing containerized applications across multiple hosts.

Kubernetes Kubernetes is an open source system for managing containerized applications across multiple hosts. It provides basic mechanisms for deploym

null 0 Nov 25, 2021
Bitrise step to parse a JaCoCo generated report and output the code coverage percentages to be used by other steps.

JaCoCo Report Parser This step parses a JaCoCo generated XML report in the jacoco_report_path and outputs the coverage percentages in a String format

Thomas Horta 0 Dec 6, 2021
Kube-step-podautoscaler - Controller to scale workloads based on steps

Refer controller/*controller.go for implementation details and explanation for a better understanding.

Danish Prakash 4 May 5, 2022
A simple CLI and API client for One-Time Secret

OTS Go client otsgo is a simple CLI and API client for One-Time Secret written i

Emídio Neto 2 Dec 27, 2021
CPU usage percentage is the ratio of the total time the CPU was active, to the elapsed time of the clock on your wall.

Docker-Kubernetes-Container-CPU-Utilization Implementing CPU Load goroutine requires the user to call the goroutine from the main file. go CPULoadCalc

Ishank Jain 1 Dec 15, 2021
A simple go application that uses Youtube Data API V3 to show the real-time stats for a youtube channel such as the subs, views, avg. earnings etc.

Youtube-channel-monitor A simple go application that uses Youtube Data API V3 to show the real-time stats for a youtube channel such as the subs, view

null 0 Dec 30, 2021
Linux provisioning scripts + application deployment tools. Suitable for self-hosting and hobby-scale application deployments.

Apollo Linux provisioning scripts + application deployment tools. Suitable for self-hosting and hobby-scale application deployments. Philosophy Linux-

K T Corp. 1 Feb 7, 2022
💻 A one-line installer for GitHub projects!

instl Instl is an installer that can install most GitHub projects on your system with a single command. Installation | Documentation | Contributing In

instl 47 Jun 7, 2022
The server-side reproduction, similar the one of https://popcat.click, improve the performance and speed.

PopCat Echo The server-side reproduction, similar the one of https://popcat.click, improve the performance and speed. Docker Image The docker image is

SuperSonic 62 Jun 19, 2022
Docker image for setting up one or multiple TCP ports forwarding, using socat

Docker socat Port Forward Docker image for setting up one or multiple TCP ports forwarding, using socat. Getting started The ports mappings are set wi

David Lorenzo 4 May 15, 2022
A terraform plugin that no-one should use that keeps pacman packages synced to a configured list

A provider for pacman packages Manages installation of pacman packages, theoretically works on most places where pacman is installed. Danger notice Wh

null 0 Nov 4, 2021
Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Table of contents 1. About 2. Getting started 2.1. Requirements 2.2. Installation 3. Usage 3.1. CLI Usage 3.2. Using Docker 3.3. Older versions 3.4. U

ZUP IT INNOVATION 721 Jun 29, 2022
self-made curl because windows doesn't have one 😡

Go-Curl Basic Feature of Curl made on go Installation go mod tidy then go build . Usage go-curl get "https://jsonplaceholder.typicode.com/posts/1" -b=

Akbar H. P. S. 0 Dec 12, 2021
StoneWork is a high-performance, all-(CNFs)-in-one network solution.

StoneWork, high-performance dataplane, modular control-plane solution StoneWork is used by PANTHEON.tech to integrate its CNFs on top of a single shar

PANTHEON.tech 7 Jun 21, 2022
Pulumi provider for Vultr (based on the Terraform one), not official

Vultr Resource Provider The Vultr Resource Provider lets you manage Vultr resources. Installing This package is currently not available for most langu

Vincent Bernat 2 Apr 23, 2022
Conjur Kubernetes All-in-One Dockerfile

conjur-authn-k8s-aio Conjur Kubernetes All-in-One Dockerfile Supported Authenticators Usage Build Secretless Broker Build Conjur Authn-K8s Client Buil

Joe Garcia 0 Dec 27, 2021
Small tool to pull/push several projects in one go

gitTool Small tool to push and pull several projects in one go. Written in Go 1.17 by Roy Dybing Contact: location name/handle github: rDybing linked

Roy Dybing 0 Dec 28, 2021