diff --git a/2025-01-28-advanced-cluster-security/README.org b/2025-01-28-advanced-cluster-security/README.org index d5e8855..66b2b56 100644 --- a/2025-01-28-advanced-cluster-security/README.org +++ b/2025-01-28-advanced-cluster-security/README.org @@ -127,10 +127,54 @@ source .env roxctl central login && roxctl central whoami #+end_src + * Demo - Identifying vulnerabilities in a workload -#+NAME: Identifying vulnerabilities in a workload +#+NAME: Deploy a workload with interesting cve's #+begin_src tmux - - +oc apply --filename medical-application --recursive +#+end_src + +#+NAME: Scan a workload image with roxctl +#+begin_src tmux +roxctl image scan --image quay.io/rhacs-demo/netflow:latest +#+end_src + +#+NAME: Check a workload image with roxctl +#+begin_src tmux +roxctl image check --image quay.io/rhacs-demo/netflow:latest +#+end_src + + +* Demo - Runtime enforcement to scale down a vulnerable workload + +#+NAME: Delete payments processor +#+begin_src tmux +oc delete --filename medical-application/payments/everything.yml +#+end_src + +#+NAME: Create payments processor +#+begin_src tmux +oc apply --filename medical-application/payments/everything.yml +#+end_src + +#+NAME: Delete vulnerable log4j deployment +#+begin_src tmux +oc delete --filename spring4shell-app/deployment.yaml +#+end_src + +#+NAME: Create vulnerable log4j deployment +#+begin_src tmux +oc apply --filename spring4shell-app/deployment.yaml +#+end_src + + +* Demo - Roxctl netpol generate + +#+begin_src tmux +roxctl netpol generate medical-application/payments/everything.yml --output-dir payments-policies --remove +#+end_src + +#+begin_src tmux +roxctl netpol connectivity map payments-policies --output-format dot #+end_src diff --git a/2025-01-28-advanced-cluster-security/medical-application/backend/everything.yml b/2025-01-28-advanced-cluster-security/medical-application/backend/everything.yml new file mode 100644 index 0000000..1b841b8 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/medical-application/backend/everything.yml @@ -0,0 +1,342 @@ + +# Secret named "ssh-keys" +apiVersion: v1 +kind: Secret +metadata: + name: ssh-keys + namespace: backend +data: + id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== + +--- +# Deployment named "api-server" +# Listens on :9001 +# Connects to "gateway-service" in "payments" namespace +apiVersion: apps/v1 +kind: Deployment +metadata: + name: api-server + namespace: backend + labels: + app: api-server + demo: roadshow +spec: + replicas: 1 + selector: + matchLabels: + app: api-server + template: + metadata: + labels: + app: api-server + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "9001", "-connect", "backend-atlas-service.backend.svc.cluster.local:8080,postgres-service.backend.svc.cluster.local:5432,gateway-service.payments.svc.cluster.local:7777"] + imagePullPolicy: Always + name: api-server + ports: + - containerPort: 9001 + protocol: TCP + +--- +# Service named "api-server-service" +# Listens on :9001 +apiVersion: v1 +kind: Service +metadata: + labels: + app: api-server + name: api-server-service + namespace: backend +spec: + ports: + - port: 9001 + protocol: TCP + targetPort: 9001 + name: http + selector: + app: api-server + type: ClusterIP + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: backend-atlas + namespace: backend + labels: + app: backend-atlas + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: backend-atlas + namespace: backend + labels: + app: backend-atlas +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: backend-atlas + namespace: backend + labels: + app: backend-atlas +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: backend-atlas +subjects: + - kind: ServiceAccount + name: backend-atlas + namespace: backend + +--- +# Deployment named "backend-atlas" +# Listens on :8080 +# Vulnerable to struts +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-atlas + namespace: backend + labels: + app: backend-atlas +spec: + replicas: 1 + selector: + matchLabels: + app: backend-atlas + template: + metadata: + labels: + app: backend-atlas + spec: + serviceAccountName: backend-atlas + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/backend-atlas:latest + imagePullPolicy: Always + name: backend-atlas + ports: + - containerPort: 8080 + - image: quay.io/rhacs-demo/backend-atlas:sidecar-latest + command: ["/bin/entrypoint"] + name: log-collector + +--- + +# Service named "backend-atlas-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: backend-atlas + name: backend-atlas-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: backend-atlas + type: ClusterIP + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: postgres + namespace: backend + labels: + app: postgres + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: postgres-cm + namespace: backend + labels: + app: postgres +rules: +- apiGroups: [""] # core + resources: ["configmaps"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: postgres + namespace: backend + labels: + app: postgres +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: postgres-cm +subjects: + - kind: ServiceAccount + name: postgres + namespace: backend + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: postgres-secrets + namespace: backend + labels: + app: postgres +rules: +- apiGroups: [""] # core + resources: ["secrets"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: postgres-secrets + namespace: backend + labels: + app: postgres +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: postgres-secrets +subjects: + - kind: ServiceAccount + name: postgres + namespace: backend + +--- +# Deployment named "postgres" +# Listens on :5432 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres + namespace: backend + labels: + app: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "5432"] + imagePullPolicy: Always + name: postgres + ports: + - containerPort: 5432 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + +--- +# Service named "postgres-service" +# Listens on :5432 +apiVersion: v1 +kind: Service +metadata: + labels: + app: postgres + name: postgres-service + namespace: backend +spec: + ports: + - port: 5432 + protocol: TCP + targetPort: 5432 + name: tcp + selector: + app: postgres + type: ClusterIP + +--- + +# Deployment named "varnish" +# Listens on :8080 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: varnish + namespace: backend + labels: + app: varnish +spec: + replicas: 1 + selector: + matchLabels: + app: varnish + template: + metadata: + labels: + app: varnish + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "8080", "-connect", "api-server-service.backend.svc.cluster.local:9001"] + imagePullPolicy: Always + name: varnish + ports: + - containerPort: 8080 + protocol: TCP + +--- + +# Service named "varnish-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: varnish + name: varnish-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: varnish + type: ClusterIP + diff --git a/2025-01-28-advanced-cluster-security/medical-application/frontend/everything.yml b/2025-01-28-advanced-cluster-security/medical-application/frontend/everything.yml new file mode 100644 index 0000000..79ad1e2 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/medical-application/frontend/everything.yml @@ -0,0 +1,214 @@ + +# Secret named "ssh-keys" +apiVersion: v1 +kind: Secret +metadata: + name: ssh-keys + namespace: frontend +data: + id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== + +--- + +# Deployment named "asset-cache" +# Listens on :8080 +# Vulnerable to struts +apiVersion: apps/v1 +kind: Deployment +metadata: + name: asset-cache + namespace: frontend + labels: + app: asset-cache + demo: roadshow +spec: + replicas: 1 + selector: + matchLabels: + app: asset-cache + template: + metadata: + labels: + app: asset-cache + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/asset-cache:latest + imagePullPolicy: Always + name: asset-cache + ports: + - containerPort: 8080 + protocol: TCP + securityContext: + capabilities: + drop: ["NET_ADMIN"] + - image: quay.io/rhacs-demo/asset-cache:sidecar-latest + imagePullPolicy: Always + name: asset-cache-sidecar + command: ["/bin/entrypoint"] + securityContext: + privileged: false + +--- + +# Service named "asset-cache-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: asset-cache + name: asset-cache-service + namespace: frontend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: asset-cache + type: ClusterIP + +--- + +# Deployment named "tls-proxy" +# Listens on :80 and :443 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tls-proxy + namespace: frontend + labels: + app: tls-proxy +spec: + replicas: 1 + selector: + matchLabels: + app: tls-proxy + template: + metadata: + labels: + app: tls-proxy + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "80,443", "-connect", "asset-cache-service.frontend.svc.cluster.local:8080,wordpress-service.frontend.svc.cluster.local:80"] + imagePullPolicy: Always + name: tls-proxy + ports: + - containerPort: 80 + protocol: TCP + - containerPort: 443 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: tls-proxy + name: tls-proxy-service + namespace: frontend +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + name: http + - port: 443 + protocol: TCP + targetPort: 443 + name: tls + selector: + app: tls-proxy + type: ClusterIP + +--- + +# Deployment named "wordpress" +# Listens on :80 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wordpress + namespace: frontend + labels: + app: wordpress +spec: + replicas: 1 + selector: + matchLabels: + app: wordpress + template: + metadata: + labels: + app: wordpress + spec: + containers: + - image: wordpress:latest + imagePullPolicy: Always + name: wordpress + ports: + - containerPort: 80 + protocol: TCP + +--- + +# Service named "wordpress-service" +# Listens on :80 +apiVersion: v1 +kind: Service +metadata: + labels: + app: wordpress + name: wordpress-service + namespace: frontend +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + name: http + selector: + app: wordpress + type: ClusterIP + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: monitor + namespace: frontend + labels: + app: monitor +spec: + replicas: 1 + selector: + matchLabels: + app: monitor + template: + metadata: + labels: + app: monitor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/monitor:latest + imagePullPolicy: Always + name: monitor diff --git a/2025-01-28-advanced-cluster-security/medical-application/medical/everything.yml b/2025-01-28-advanced-cluster-security/medical-application/medical/everything.yml new file mode 100644 index 0000000..232e4ec --- /dev/null +++ b/2025-01-28-advanced-cluster-security/medical-application/medical/everything.yml @@ -0,0 +1,182 @@ +# Deployment named "reporting" +# Listens on :8080 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reporting + namespace: medical + labels: + app: reporting + demo: roadshow +spec: + replicas: 1 + selector: + matchLabels: + app: reporting + template: + metadata: + labels: + app: reporting + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/reporting:latest + command: ["/bin/entrypoint"] + args: ["-listen", "8080", "-connect", "patient-db-service.medical.svc.cluster.local:8080"] + imagePullPolicy: Always + name: reporting + ports: + - containerPort: 8080 + protocol: TCP + +--- + +# Service named "reporting-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: reporting + name: reporting-service + namespace: medical +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: reporting + type: ClusterIP + +--- + +# Deployment named "patient-db" +# Listens on :8080 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: patient-db + namespace: medical + labels: + app: patient-db +spec: + replicas: 1 + selector: + matchLabels: + app: patient-db + template: + metadata: + labels: + app: patient-db + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "8080", "-connect", "reporting-service.medical.svc.cluster.local:8080"] + imagePullPolicy: Always + name: patient-db + ports: + - containerPort: 8080 + protocol: TCP + +--- + +# Service named "patient-db-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: patient-db + name: patient-db-service + namespace: medical +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: tcp + selector: + app: patient-db + type: ClusterIP + +--- + +# Network policy named "deny-all" +# Denies all ingress and egress traffic +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: deny-all + namespace: medical +spec: + policyTypes: + - Ingress + - Egress + podSelector: {} + egress: + - ports: + # Istio-pilot port -- required for istio-proxy registration + - port: 15010 + to: + - namespaceSelector: + matchLabels: + istio-system: "true" + - ports: + - protocol: UDP + # kube-dns -- required for istio-proxy to find istio-pilot service + port: 53 + to: + - namespaceSelector: + matchLabels: + kube-system: "true" + ingress: + - ports: + # Istio-proxy status port -- required for Istio to update routing + - port: 15020 + from: + - namespaceSelector: + matchLabels: + istio-system: "true" + - ports: + # Istio-proxy port -- required for Istio to update routing + - port: 15090 + from: + - namespaceSelector: + matchLabels: + istio-system: "true" + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: proxy + namespace: medical + labels: + app: proxy +spec: + replicas: 1 + selector: + matchLabels: + app: proxy + template: + metadata: + labels: + app: proxy + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/proxy:latest + securityContext: + privileged: true + command: ["/bin/entrypoint"] + imagePullPolicy: Always + name: proxy + + diff --git a/2025-01-28-advanced-cluster-security/medical-application/namespaces.yaml b/2025-01-28-advanced-cluster-security/medical-application/namespaces.yaml new file mode 100644 index 0000000..f1c7725 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/medical-application/namespaces.yaml @@ -0,0 +1,44 @@ +--- +# Namespace for backend +apiVersion: v1 +kind: Namespace +metadata: + name: backend + labels: + name: backend + +--- +# Namespace for frontend +apiVersion: v1 +kind: Namespace +metadata: + name: frontend + labels: + name: frontend + +--- + # Namespace for medical +apiVersion: v1 +kind: Namespace +metadata: + name: medical + labels: + name: medical + +--- +# Namespace for operations +apiVersion: v1 +kind: Namespace +metadata: + name: operations + labels: + name: operations + +--- +# Namespace for payments +apiVersion: v1 +kind: Namespace +metadata: + name: payments + labels: + name: payments diff --git a/2025-01-28-advanced-cluster-security/medical-application/operations/everything.yml b/2025-01-28-advanced-cluster-security/medical-application/operations/everything.yml new file mode 100644 index 0000000..a067e1b --- /dev/null +++ b/2025-01-28-advanced-cluster-security/medical-application/operations/everything.yml @@ -0,0 +1,176 @@ +# Secret named "ssh-keys" +apiVersion: v1 +kind: Secret +metadata: + namespace: operations + name: ssh-keys +data: + id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== + +--- +# Deployment named "jump-host" +# Listens on :22 +# Has SSH keys mounted +# Connects to "visa-processor-service" in the "payments" namespace +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jump-host + namespace: operations + labels: + app: jump-host + demo: roadshow +spec: + replicas: 1 + selector: + matchLabels: + app: jump-host + template: + metadata: + labels: + app: jump-host + spec: + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + containers: + - image: quay.io/rhacs-demo/jump-host:latest + command: ["/bin/entrypoint"] + args: ["-listen", "22", "-connect", "pupper-master-service.operations.svc.cluster.local:8140,visa-processor-service.payments.svc.cluster.local:8080,patient-db-service.medical.svc.cluster.local:8080"] + imagePullPolicy: Always + name: jump-host + ports: + - containerPort: 22 + name: tcp + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: jump-host + name: jump-host-service + namespace: operations +spec: + ports: + - port: 8001 + protocol: TCP + targetPort: 22 + name: tcp + selector: + app: jump-host + type: ClusterIP + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: puppet-master + namespace: operations + labels: + app: puppet-master + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: puppet-master + namespace: operations + labels: + app: puppet-master +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["get", "watch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: puppet-master + namespace: operations + labels: + app: puppet-master +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: puppet-master +subjects: + - kind: ServiceAccount + name: puppet-master + namespace: operations + +--- +# Deployment named "puppet-master" +# Listens on :8140 +# Runs apt-get +# Runs nmap +# Mounts the host Docker socket +# Runs as privileged +apiVersion: apps/v1 +kind: Deployment +metadata: + name: puppet-master + namespace: operations + labels: + app: puppet-master +spec: + replicas: 1 + selector: + matchLabels: + app: puppet-master + template: + metadata: + labels: + app: puppet-master + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: puppet-master + volumes: + - hostPath: + path: /var/run/docker.sock + name: var-run-docker-sock + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/sh"] + args: ["-c", "/usr/bin/apt-get install nmap; /bin/nmap -Pn 10.0.0.0/24; /bin/entrypoint -listen 8140"] + imagePullPolicy: Always + name: puppet-master + securityContext: + privileged: true + ports: + - containerPort: 8140 + protocol: TCP + volumeMounts: + - mountPath: /host/var/run/docker.sock + name: var-run-docker-sock + +--- + +# Service named "pupper-master-service" +# Listens on :8140 +apiVersion: v1 +kind: Service +metadata: + labels: + app: puppet-master + name: pupper-master-service + namespace: operations +spec: + ports: + - port: 8140 + protocol: TCP + targetPort: 8140 + name: http + selector: + app: puppet-master + type: ClusterIP diff --git a/2025-01-28-advanced-cluster-security/medical-application/payments/everything.yml b/2025-01-28-advanced-cluster-security/medical-application/payments/everything.yml new file mode 100644 index 0000000..3d516c7 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/medical-application/payments/everything.yml @@ -0,0 +1,446 @@ +# Secret named "ssh-keys" +apiVersion: v1 +kind: Secret +metadata: + namespace: payments + name: ssh-keys +data: + id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor +secrets: +- name: rhacs-demo-pull-pull-secret + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: visa-processor + labels: + app: visa-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: visa-processor + namespace: payments + +--- +# Deployment named "visa-processor" +# Listens on :8080 +# Vulnerable to struts +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + demo: roadshow + annotations: + "admission.stackrox.io/break-glass": "jira-3423" +spec: + replicas: 1 + selector: + matchLabels: + app: visa-processor + template: + metadata: + labels: + app: visa-processor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: visa-processor + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/visa-processor:latest-v2 + imagePullPolicy: Always + name: visa-processor + ports: + - containerPort: 22 + protocol: TCP + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + readOnly: false + securityContext: + capabilities: + add: ["SYS_ADMIN"] + env: + - name: I_HAVE_A_SECRET + value: "true" + - image: quay.io/rhacs-demo/visa-processor:sidecar-latest-v2 + imagePullPolicy: Always + name: visa-processor-sidecar + command: ["/bin/entrypoint"] + securityContext: + privileged: true + +--- +# Service named "visa-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: visa-processor + name: visa-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: visa-processor + type: ClusterIP + +--- +# Deployment named "gateway" +# Listens on :7777 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway + namespace: payments + labels: + app: gateway +spec: + replicas: 1 + selector: + matchLabels: + app: gateway + template: + metadata: + labels: + app: gateway + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "7777", "-connect", "visa-processor-service.payments.svc.cluster.local:8080,mastercard-processor-service.payments.svc.cluster.local:8080"] + imagePullPolicy: Always + name: gateway + ports: + - containerPort: 7777 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + +--- +# Service named "gateway-service" +# Listens on :7777 +apiVersion: v1 +kind: Service +metadata: + labels: + app: gateway + name: gateway-service + namespace: payments +spec: + ports: + - port: 7777 + protocol: TCP + targetPort: 7777 + name: http + selector: + app: gateway + type: ClusterIP + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-admin +subjects: + - kind: ServiceAccount + name: mastercard-processor + namespace: payments + +--- +# Deployment named "mastercard-processor" +# Listens on :8080 +# Vulnerable to struts +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +spec: + replicas: 1 + selector: + matchLabels: + app: mastercard-processor + template: + metadata: + labels: + app: mastercard-processor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: mastercard-processor + containers: + - image: quay.io/rhacs-demo/mastercard-processor:latest + imagePullPolicy: Always + name: mastercard-processor + ports: + - containerPort: 8080 + protocol: TCP + +--- +# Service named "mastercard-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: mastercard-processor + name: mastercard-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: mastercard-processor + type: ClusterIP + +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: backend-api-server-ingress-payments-gateway +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: gateway +# ingress: +# - from: +# - namespaceSelector: +# matchLabels: +# name: backend +# podSelector: +# matchLabels: +# app: api-server +# - podSelector: +# matchLabels: +# app: visa-processor +# - podSelector: +# matchLabels: +# app: mastercard-processor +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - namespaceSelector: +# matchLabels: +# name: backend +# podSelector: +# matchLabels: +# app: api-server +# - podSelector: +# matchLabels: +# app: visa-processor +# - podSelector: +# matchLabels: +# app: mastercard-processor +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" +# +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: payments-gateway-ingress-payments-visa-processor +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: visa-processor +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" +# +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: payments-gateway-ingress-payments-mastercard-processor +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: mastercard-processor +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: payments-secrets + namespace: payments +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: payments-secrets + namespace: payments +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: payments-secrets +subjects: +- kind: User + name: "joe@example.com" + apiGroup: rbac.authorization.k8s.io + diff --git a/2025-01-28-advanced-cluster-security/payments-policies-edit/default-deny-in-namespace-payments.yaml b/2025-01-28-advanced-cluster-security/payments-policies-edit/default-deny-in-namespace-payments.yaml new file mode 100644 index 0000000..cf9baaa --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies-edit/default-deny-in-namespace-payments.yaml @@ -0,0 +1,13 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-payments + namespace: payments +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/2025-01-28-advanced-cluster-security/payments-policies-edit/everything.yml b/2025-01-28-advanced-cluster-security/payments-policies-edit/everything.yml new file mode 100644 index 0000000..3d516c7 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies-edit/everything.yml @@ -0,0 +1,446 @@ +# Secret named "ssh-keys" +apiVersion: v1 +kind: Secret +metadata: + namespace: payments + name: ssh-keys +data: + id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor +secrets: +- name: rhacs-demo-pull-pull-secret + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: visa-processor + labels: + app: visa-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: visa-processor + namespace: payments + +--- +# Deployment named "visa-processor" +# Listens on :8080 +# Vulnerable to struts +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + demo: roadshow + annotations: + "admission.stackrox.io/break-glass": "jira-3423" +spec: + replicas: 1 + selector: + matchLabels: + app: visa-processor + template: + metadata: + labels: + app: visa-processor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: visa-processor + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/visa-processor:latest-v2 + imagePullPolicy: Always + name: visa-processor + ports: + - containerPort: 22 + protocol: TCP + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + readOnly: false + securityContext: + capabilities: + add: ["SYS_ADMIN"] + env: + - name: I_HAVE_A_SECRET + value: "true" + - image: quay.io/rhacs-demo/visa-processor:sidecar-latest-v2 + imagePullPolicy: Always + name: visa-processor-sidecar + command: ["/bin/entrypoint"] + securityContext: + privileged: true + +--- +# Service named "visa-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: visa-processor + name: visa-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: visa-processor + type: ClusterIP + +--- +# Deployment named "gateway" +# Listens on :7777 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway + namespace: payments + labels: + app: gateway +spec: + replicas: 1 + selector: + matchLabels: + app: gateway + template: + metadata: + labels: + app: gateway + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "7777", "-connect", "visa-processor-service.payments.svc.cluster.local:8080,mastercard-processor-service.payments.svc.cluster.local:8080"] + imagePullPolicy: Always + name: gateway + ports: + - containerPort: 7777 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + +--- +# Service named "gateway-service" +# Listens on :7777 +apiVersion: v1 +kind: Service +metadata: + labels: + app: gateway + name: gateway-service + namespace: payments +spec: + ports: + - port: 7777 + protocol: TCP + targetPort: 7777 + name: http + selector: + app: gateway + type: ClusterIP + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-admin +subjects: + - kind: ServiceAccount + name: mastercard-processor + namespace: payments + +--- +# Deployment named "mastercard-processor" +# Listens on :8080 +# Vulnerable to struts +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +spec: + replicas: 1 + selector: + matchLabels: + app: mastercard-processor + template: + metadata: + labels: + app: mastercard-processor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: mastercard-processor + containers: + - image: quay.io/rhacs-demo/mastercard-processor:latest + imagePullPolicy: Always + name: mastercard-processor + ports: + - containerPort: 8080 + protocol: TCP + +--- +# Service named "mastercard-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: mastercard-processor + name: mastercard-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: mastercard-processor + type: ClusterIP + +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: backend-api-server-ingress-payments-gateway +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: gateway +# ingress: +# - from: +# - namespaceSelector: +# matchLabels: +# name: backend +# podSelector: +# matchLabels: +# app: api-server +# - podSelector: +# matchLabels: +# app: visa-processor +# - podSelector: +# matchLabels: +# app: mastercard-processor +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - namespaceSelector: +# matchLabels: +# name: backend +# podSelector: +# matchLabels: +# app: api-server +# - podSelector: +# matchLabels: +# app: visa-processor +# - podSelector: +# matchLabels: +# app: mastercard-processor +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" +# +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: payments-gateway-ingress-payments-visa-processor +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: visa-processor +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" +# +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: payments-gateway-ingress-payments-mastercard-processor +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: mastercard-processor +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: payments-secrets + namespace: payments +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: payments-secrets + namespace: payments +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: payments-secrets +subjects: +- kind: User + name: "joe@example.com" + apiGroup: rbac.authorization.k8s.io + diff --git a/2025-01-28-advanced-cluster-security/payments-policies-edit/mastercard-processor-netpol.yaml b/2025-01-28-advanced-cluster-security/payments-policies-edit/mastercard-processor-netpol.yaml new file mode 100644 index 0000000..13b4e35 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies-edit/mastercard-processor-netpol.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: mastercard-processor-netpol + namespace: payments +spec: + podSelector: + matchLabels: + app: mastercard-processor + policyTypes: + - Ingress + - Egress diff --git a/2025-01-28-advanced-cluster-security/payments-policies-edit/visa-processor-netpol.yaml b/2025-01-28-advanced-cluster-security/payments-policies-edit/visa-processor-netpol.yaml new file mode 100644 index 0000000..ed63f48 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies-edit/visa-processor-netpol.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: visa-processor-netpol + namespace: payments +spec: + podSelector: + matchLabels: + app: visa-processor + policyTypes: + - Ingress + - Egress diff --git a/2025-01-28-advanced-cluster-security/payments-policies/everything.yml b/2025-01-28-advanced-cluster-security/payments-policies/everything.yml new file mode 100644 index 0000000..3d516c7 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies/everything.yml @@ -0,0 +1,446 @@ +# Secret named "ssh-keys" +apiVersion: v1 +kind: Secret +metadata: + namespace: payments + name: ssh-keys +data: + id_rsa: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURSVk4vbFYxOFFYMnBmQlNLYVowVVlDVlk2TDFSRDlhNy9QRGtmVlpJRXdTUCszczIzCmpHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmUKbnZLTmpsSE1nampxdVhQWGkrQmpjNDgvd1BGYnhLVndSclYwOUFZOUpDbXBWZUhqdUFHUStwbmk2d0lEQVFBQgpBb0dCQUpkWWpSUk1xaisxTEx3TWcyc3RGUWgrMzZmcnhqbm9iS0MrMHZIenRVSFl2b1NzWkFHNzhLR3QyTTZICndaT3dPZFNGenlRVlRqRzI0NmNyc3czNGl1cXJtd2Q1Qmhhb0hEbmhGN3pqZkMybUN5MjlkNGF4cGY0N1NZMGYKais5bHEzSzNrRDhkcVBQTzhGRnhjQlNmSGw3ejFWR2ppbmx1V1UwbHBUN1V4YlY1QWtFQTZkMElkYTJFMlo1LwpjYTZIQXdQVGpIOUFMYzhwQlI0bXg4Q2pUN1BWZk1ncUV5SGdTRGx3aGw4V3Z2OHFWVG0xRDdxUFhoS21FeTVhCnZWdDlnUE9PclFKQkFPVWxZdS85ZUNWODY0L2VacWhWYXlBT0JIUHNUQ3ZpZ04wNk83MDBHeldPVlVGR0pxUkoKY2dWRnNhVjBudytrU3FxaFdTRVJGS1JxM3RHYmFlK1JZdmNDUUUwSjRDQ0w0YWlpbXM4RE5EeWRCUkpTVlAwQwpNandhVzZJUDVueDUvRWpYMDJ4c0Myc2ZhTjhLOGY1SEpsWGU1Yk5odkpxN3YvT3ZvSHFpYWV5Unp4MENRUUM2CkM2TEtxNGRUR0p2QlVaY1Q4VlpxemphN1VBMkFUQVRJbWJGTEt2VTBoSDJmNDY4WUVER3RLaXJUNVY0SHV5S00KYXpnTWF1dlJtcHVTbjVaaFZpOTlBa0VBaWtIanNZZW5YVWNaSHpHZzVTZ3RGc29DdXV2eEdNenpNc2cyVWZIVgo5TnNXNXoxcytHNmM2bXhCMmxFaTRVcEswc0xJeTMyZG9NRVpKQkp2cGN5MVZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + id_rsa.pub: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFBZ1FEUlZOL2xWMThRWDJwZkJTS2FaMFVZQ1ZZNkwxUkQ5YTcvUERrZlZaSUV3U1ArM3MyM2pHU3NZanhxZXliT0lEZzI3dndkWkw5R1dEd2Nsb2lVbmhjWUpDSlJaalN4VUw5MmJJSGVhYitYSnJQUGRFNmVudktOamxITWdqanF1WFBYaStCamM0OC93UEZieEtWd1JyVjA5QVk5SkNtcFZlSGp1QUdRK3BuaTZ3PT0gaGFja2VybWFuCg== +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor +secrets: +- name: rhacs-demo-pull-pull-secret + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: visa-processor + labels: + app: visa-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: visa-processor + namespace: payments + +--- +# Deployment named "visa-processor" +# Listens on :8080 +# Vulnerable to struts +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + demo: roadshow + annotations: + "admission.stackrox.io/break-glass": "jira-3423" +spec: + replicas: 1 + selector: + matchLabels: + app: visa-processor + template: + metadata: + labels: + app: visa-processor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: visa-processor + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/visa-processor:latest-v2 + imagePullPolicy: Always + name: visa-processor + ports: + - containerPort: 22 + protocol: TCP + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + readOnly: false + securityContext: + capabilities: + add: ["SYS_ADMIN"] + env: + - name: I_HAVE_A_SECRET + value: "true" + - image: quay.io/rhacs-demo/visa-processor:sidecar-latest-v2 + imagePullPolicy: Always + name: visa-processor-sidecar + command: ["/bin/entrypoint"] + securityContext: + privileged: true + +--- +# Service named "visa-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: visa-processor + name: visa-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: visa-processor + type: ClusterIP + +--- +# Deployment named "gateway" +# Listens on :7777 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway + namespace: payments + labels: + app: gateway +spec: + replicas: 1 + selector: + matchLabels: + app: gateway + template: + metadata: + labels: + app: gateway + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/rhacs-demo/netflow:latest + command: ["/bin/entrypoint"] + args: ["-listen", "7777", "-connect", "visa-processor-service.payments.svc.cluster.local:8080,mastercard-processor-service.payments.svc.cluster.local:8080"] + imagePullPolicy: Always + name: gateway + ports: + - containerPort: 7777 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + +--- +# Service named "gateway-service" +# Listens on :7777 +apiVersion: v1 +kind: Service +metadata: + labels: + app: gateway + name: gateway-service + namespace: payments +spec: + ports: + - port: 7777 + protocol: TCP + targetPort: 7777 + name: http + selector: + app: gateway + type: ClusterIP + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-admin +subjects: + - kind: ServiceAccount + name: mastercard-processor + namespace: payments + +--- +# Deployment named "mastercard-processor" +# Listens on :8080 +# Vulnerable to struts +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +spec: + replicas: 1 + selector: + matchLabels: + app: mastercard-processor + template: + metadata: + labels: + app: mastercard-processor + spec: + imagePullSecrets: + - name: rhacs-demo-pull-pull-secret + serviceAccountName: mastercard-processor + containers: + - image: quay.io/rhacs-demo/mastercard-processor:latest + imagePullPolicy: Always + name: mastercard-processor + ports: + - containerPort: 8080 + protocol: TCP + +--- +# Service named "mastercard-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: mastercard-processor + name: mastercard-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: mastercard-processor + type: ClusterIP + +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: backend-api-server-ingress-payments-gateway +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: gateway +# ingress: +# - from: +# - namespaceSelector: +# matchLabels: +# name: backend +# podSelector: +# matchLabels: +# app: api-server +# - podSelector: +# matchLabels: +# app: visa-processor +# - podSelector: +# matchLabels: +# app: mastercard-processor +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - namespaceSelector: +# matchLabels: +# name: backend +# podSelector: +# matchLabels: +# app: api-server +# - podSelector: +# matchLabels: +# app: visa-processor +# - podSelector: +# matchLabels: +# app: mastercard-processor +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" +# +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: payments-gateway-ingress-payments-visa-processor +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: visa-processor +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" +# +#--- +#kind: NetworkPolicy +#apiVersion: networking.k8s.io/v1 +#metadata: +# name: payments-gateway-ingress-payments-mastercard-processor +# namespace: payments +#spec: +# podSelector: +# matchLabels: +# app: mastercard-processor +# ingress: +# - from: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-proxy status port -- required for Istio to update routing +# - port: 15020 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# # Istio-proxy port -- required for Istio to update routing +# - port: 15090 +# from: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# egress: +# - to: +# - podSelector: +# matchLabels: +# app: gateway +# - ports: +# # Istio-pilot port -- required for istio-proxy registration +# - port: 15010 +# to: +# - namespaceSelector: +# matchLabels: +# istio-system: "true" +# - ports: +# - protocol: UDP +# # kube-dns -- required for istio-proxy to find istio-pilot service +# port: 53 +# to: +# - namespaceSelector: +# matchLabels: +# kube-system: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: payments-secrets + namespace: payments +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: payments-secrets + namespace: payments +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: payments-secrets +subjects: +- kind: User + name: "joe@example.com" + apiGroup: rbac.authorization.k8s.io + diff --git a/2025-01-28-advanced-cluster-security/payments-policies/gateway-netpol.yaml b/2025-01-28-advanced-cluster-security/payments-policies/gateway-netpol.yaml new file mode 100644 index 0000000..7ff3a3a --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies/gateway-netpol.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: gateway-netpol + namespace: payments +spec: + podSelector: + matchLabels: + app: gateway + policyTypes: + - Ingress + - Egress diff --git a/2025-01-28-advanced-cluster-security/payments-policies/mastercard-processor-netpol.yaml b/2025-01-28-advanced-cluster-security/payments-policies/mastercard-processor-netpol.yaml new file mode 100644 index 0000000..13b4e35 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies/mastercard-processor-netpol.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: mastercard-processor-netpol + namespace: payments +spec: + podSelector: + matchLabels: + app: mastercard-processor + policyTypes: + - Ingress + - Egress diff --git a/2025-01-28-advanced-cluster-security/payments-policies/visa-processor-netpol.yaml b/2025-01-28-advanced-cluster-security/payments-policies/visa-processor-netpol.yaml new file mode 100644 index 0000000..ed63f48 --- /dev/null +++ b/2025-01-28-advanced-cluster-security/payments-policies/visa-processor-netpol.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: visa-processor-netpol + namespace: payments +spec: + podSelector: + matchLabels: + app: visa-processor + policyTypes: + - Ingress + - Egress diff --git a/2025-01-28-advanced-cluster-security/spring4shell-app/deployment.yaml b/2025-01-28-advanced-cluster-security/spring4shell-app/deployment.yaml new file mode 100644 index 0000000..3b91dfa --- /dev/null +++ b/2025-01-28-advanced-cluster-security/spring4shell-app/deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: spring4shell + app.kubernetes.io/component: spring4shell + app.kubernetes.io/instance: spring4shell + app.kubernetes.io/name: spring4shell + app.kubernetes.io/part-of: spring4shell + app.openshift.io/runtime-namespace: app-deploy + name: spring4shell + namespace: app-deploy +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: spring4shell + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: + labels: + app: spring4shell + deployment: spring4shell + spec: + containers: + - image: quay.io/smileyfritz/spring4shell:v0.5 + imagePullPolicy: IfNotPresent + name: spring4shell + ports: + - containerPort: 8080 + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30