jmhbnz/workshops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f30a8af73f815ff2df1b9d3887660a3921e1e351
workshops/data/workshop
History
James Blair f30a8af73f Progress on exercise 5.
2024-10-23 15:57:30 +13:00
..
exercise1.mdx
Update environment links.
2024-10-23 10:29:10 +13:00
exercise2.mdx
Begin working on exercise 5.
2024-10-23 11:59:34 +13:00
exercise3.mdx
Begin working on exercise 5.
2024-10-23 11:59:34 +13:00
exercise4.mdx
Begin working on exercise 5.
2024-10-23 11:59:34 +13:00
exercise5.mdx
Progress on exercise 5.
2024-10-23 15:57:30 +13:00
README.org
Progress on exercise 5.
2024-10-23 12:37:05 +13:00

README.org

Openshift security hackathon

This document captures the steps required to set up an instance of the workshop.

Log in to cluster 

oc login --web https://api.cluster-zwm4h.zwm4h.sandbox1572.opentlc.com:6443/

Update cluster logo 

oc create configmap console-custom-logo --from-file=/home/james/Downloads/logo.png -n openshift-config

cat << EOF | oc apply --filename -
apiVersion: operator.openshift.io/v1
kind: Console
metadata:
  name: cluster
spec:
  customization:
    customLogoFile:
      key: logo.png
      name: console-custom-logo
    customProductName: ACME Financial Services OpenShift Console
EOF

Deploy the vulnerable workload 

cat << EOF | oc apply --filename -
---
kind: Namespace
apiVersion: v1
metadata:
  name: prd-acme-payments

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: prd-acme-payments-processor
  namespace: prd-acme-payments
  labels:
    app: payments-processor
spec:
  replicas: 3
  selector:
    matchLabels:
      deployment: prd-acme-payments-processor
  template:
    metadata:
      labels:
        deployment: prd-acme-payments-processor
    spec:
      containers:
        - name: literally-log4shell
          image: quay.io/smileyfritz/log4shell-app:v0.5
          securityContext:
            capabilities:
              add:
                - SYS_ADMIN
                - NET_ADMIN
          ports:
            - containerPort: 8080
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: unix-socket
              mountPath: /var/run/crio/crio.sock
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
      volumes:
        - name: unix-socket
          hostPath:
            path: /var/run/crio/crio.sock
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600
EOF

oc adm policy add-scc-to-user privileged -z default -n prd-acme-payments