Openshift security hackathon
This document captures the steps required to set up an instance of the workshop.
Log in to cluster
oc login --web https://api.cluster-dlljg.dlljg.sandbox1289.opentlc.com:6443Update cluster logo
oc create configmap console-custom-logo --from-file=/home/james/Downloads/logo.png -n openshift-config
cat << EOF | oc apply --filename -
apiVersion: operator.openshift.io/v1
kind: Console
metadata:
name: cluster
spec:
customization:
customLogoFile:
key: logo.png
name: console-custom-logo
customProductName: ACME Financial Services OpenShift Console
EOFDeploy the vulnerable workload
cat << EOF | oc apply --filename -
---
kind: Namespace
apiVersion: v1
metadata:
name: prd-acme-payments
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: prd-acme-payments-processor
namespace: prd-acme-payments
labels:
app: payments-processor
spec:
replicas: 3
selector:
matchLabels:
deployment: prd-acme-payments-processor
template:
metadata:
labels:
deployment: prd-acme-payments-processor
spec:
containers:
- name: literally-log4shell
image: quay.io/smileyfritz/log4shell-app:v0.5
securityContext:
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
ports:
- containerPort: 8080
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
volumeMounts:
- name: unix-socket
mountPath: /var/run/crio/crio.sock
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
volumes:
- name: unix-socket
hostPath:
path: /var/run/crio/crio.sock
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
EOF
oc adm policy add-scc-to-user privileged -z default -n prd-acme-payments