Introduction
Welcome to our Kubernetes Security Workshop! This guide is designed to help you understand and practice security aspects in Kubernetes clusters effectively.
The main topics of this workshop are:
- Admission Controllers
- Security for the API Server, microservices and supply chains
- System hardening
- Network policies
- Compliance and OPA (open policy agent)
Setup Tips
0. AKS
Run $ kubectl get nodes to test the connection.
1. Kubectl
Kubectl is the Kubernetes command-line tool that allows us to interact directly with the Kubernetes API.
For help about kubectl commands navigate to the Kubectl Reference Docs Page.
To install kubectl follow the instructions on the Official Kubernetes Docs Page.
2. Alias
Further you should make use of aliases, when you want to speed up writing kubectl commands.
For now, add the following alias in your terminal:
alias k=kubectl
You may add more aliases that you find useful along the way.
3. Autocompletion
It is recommended to install autocompletion for kubectl commands. It will facilitate the navigation in Kubernetes clusters.
To install autocompletion for kubectl follow the instructions on the Kubernetes Docs.
If you want to use bash
echo 'source /etc/bash_completion' >> ~/.bashrc
echo 'source <(kubectl completion bash)' >> ~/.bashrc
echo 'alias k=kubectl' >> ~/.bashrc
echo 'alias kx=kubectx' >> ~/.bashrc
echo 'complete -o default -F __start_kubectl k' >> ~/.bashrc
Tip
You need to start a new bash session to activate the new settings in your .bashrc.
You can do this by just starting bash again or by clicking on the + icon at the terminal view in VS-Code.
Or run source ~/.bashrc in the current terminal
or zsh with a more speaking prompt
with tools such as
sudo apt install -y zsh
sudo chsh -s $(which zsh)
mkdir -p "$HOME/.zsh"
git clone --depth=1 --branch v4.22.1 https://github.com/spaceship-prompt/spaceship-prompt.git "$HOME/.zsh/spaceship"
echo 'source "$HOME/.zsh/spaceship/spaceship.zsh"' >> "$HOME/.zshrc"
echo 'source <(kubectl completion zsh)' >> "$HOME/.zshrc"
echo 'alias k=kubectl' >> "$HOME/.zshrc"
echo 'alias kx=kubectx' >> "$HOME/.zshrc"
echo 'alias kn=kubens' >> "$HOME/.zshrc"
echo 'source <(fzf --zsh)' >> "$HOME/.zshrc"
git clone --depth=1 --branch v0.70.0 https://github.com/junegunn/fzf.git "$HOME/.fzf"
$HOME/.fzf/install
cat << EOF > "$HOME/.spaceshiprc.zsh"
SPACESHIP_PROMPT_ORDER=(
dir
git
kubectl
exec_time
line_sep
jobs
exit_code
char
)
SPACESHIP_USER_SHOW=needed
SPACESHIP_HOST_SHOW=needed
# Show kubectl context and namespace
SPACESHIP_KUBECTL_SHOW=true
SPACESHIP_KUBECTL_CONTEXT_SHOW=true
SPACESHIP_KUBECTL_CONTEXT_COLOR_GROUPS=(
# red if namespace is ends with "system"
red '\(*-system\)$'
# else, green if "kind" is anywhere in the context or namespace
green kind
# else, yellow if the entire content is "test-" followed by digits, and no namespace is displayed
yellow '^test-[0-9]+$'
)
EOF
4. Text Editor
vi, vim, emacs, notepad, …
Info
You can skip this section if you are using our VS-Code environment.
You probably have already got the text editor of your choice installed and ready to go. But how often have you really used it? Are you comfortable navigating and editing your files?
As we will be writing several deployment files as well as apply changes to Kubernetes objects with the text editor, you should take some time to refresh the most common commands.
If you haven’t been using the editor frequently, it might be handy to open up a cheatsheet by the side, when working on the Lab!
5. Add-ons
When starting to work with Kubernetes, it may be a good time to familiarize yourself with helpful tools. That way you can adapt tool-specific syntax from the start.
Mandatory:
k9s: A terminal based UI. It holds many features to easily navigate through Kubernetes clusters and display resources in a readable way.
curl -sL https://github.com/derailed/k9s/releases/download/v0.50.18/k9s_Linux_amd64.tar.gz | tar -zxvf - k9s
sudo mv k9s /usr/local/bin
jq: A tools for parsing JSON darta, like
sedfor text files
sudo apt install jq
kind: Running a kubernetes cluster in docker
curl -sLo ./kind https://kind.sigs.k8s.io/dl/v0.31.0/kind-linux-amd64
chmod +x kind
sudo mv kind /usr/local/bin
dive: Tool for visualising container layers
curl -LO https://github.com/wagoodman/dive/releases/download/v0.13.1/dive_0.13.1_linux_amd64.tar.gz tar xvzf dive_0.13.1_linux_amd64.tar.gz sudo mv dive /usr/local/bin/dive rm -f LICENSE README.md # folder
Optional:
If you want to try out the demos presented by trainer for yourself:
sops: Encryption provider
curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64
sudo mv sops-v3.11.0.linux.amd64 /usr/local/bin/sops
sudo chmod +x /usr/local/bin/sops
flux: GitOps provider
curl -LO https://github.com/fluxcd/flux2/releases/download/v2.7.5/flux_2.7.5_linux_amd64.tar.gz
tar xvzf flux_2.7.5_linux_amd64.tar.gz
sudo mv flux /usr/local/bin/flux
sudo chmod +x /usr/local/bin/flux
age: Key tool
curl -LO https://github.com/FiloSottile/age/releases/download/v1.3.1/age-v1.3.1-linux-amd64.tar.gz
tar xvzf age-v1.3.1-linux-amd64.tar.gz
sudo mv age/age /usr/local/bin/age
sudo chmod +x /usr/local/bin/age
sudo mv age/age-keygen /usr/local/bin/age-keygen
sudo chmod +x /usr/local/bin/age-keygen
rm -rf age # folder
kn: A small command line tool for changing namespaces and contexts in your kubeconfig.
Info
If at one point we need to updated the exercises, run this commands. The trainer will let you know.
git config --global --add safe.directory /home/training/exercise
sudo git -C /home/training/exercise pull origin main
sudo mkdocs build -c -f /home/training/exercise/mkdocs.yml -d /var/www/html/mkdocs