#+TITLE: Openshift security hackathon #+DATE: <2024-09-26 Thu> #+AUTHOR: James Blair This document captures the steps required to set up an instance of the workshop. * Log in to cluster #+begin_src tmux oc login --web https://api.cluster-dlljg.dlljg.sandbox1289.opentlc.com:6443 #+end_src * Update cluster logo #+begin_src tmux oc create configmap console-custom-logo --from-file=/home/james/Downloads/logo.png -n openshift-config cat << EOF | oc apply --filename - apiVersion: operator.openshift.io/v1 kind: Console metadata: name: cluster spec: customization: customLogoFile: key: logo.png name: console-custom-logo customProductName: ACME Financial Services OpenShift Console EOF #+end_src * Deploy the vulnerable workload #+begin_src tmux cat << EOF | oc apply --filename - --- kind: Namespace apiVersion: v1 metadata: name: prd-acme-payments --- kind: Deployment apiVersion: apps/v1 metadata: name: prd-acme-payments-processor namespace: prd-acme-payments labels: app: payments-processor spec: replicas: 3 selector: matchLabels: deployment: prd-acme-payments-processor template: metadata: labels: deployment: prd-acme-payments-processor spec: containers: - name: literally-log4shell image: quay.io/smileyfritz/log4shell-app:v0.5 securityContext: capabilities: add: - SYS_ADMIN - NET_ADMIN ports: - containerPort: 8080 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File imagePullPolicy: IfNotPresent volumeMounts: - name: unix-socket mountPath: /var/run/crio/crio.sock restartPolicy: Always terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirst securityContext: {} schedulerName: default-scheduler volumes: - name: unix-socket hostPath: path: /var/run/crio/crio.sock strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 25% maxSurge: 25% revisionHistoryLimit: 10 progressDeadlineSeconds: 600 EOF oc adm policy add-scc-to-user privileged -z default -n prd-acme-payments #+end_src