{"id":19299989,"url":"https://github.com/cloudogu/k8s-security-demos","last_synced_at":"2025-04-09T10:09:44.177Z","repository":{"id":43391953,"uuid":"169539912","full_name":"cloudogu/k8s-security-demos","owner":"cloudogu","description":"Demos for several kubernetes security features","archived":false,"fork":false,"pushed_at":"2025-01-09T10:25:29.000Z","size":98,"stargazers_count":63,"open_issues_count":0,"forks_count":19,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-02T03:46:00.042Z","etag":null,"topics":["gke","google-kubernetes-engine","kubernetes","netpol","network-policy","pod-security-policy","podsecuritypolicies","psp","rbac","security","security-context","terraform"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudogu.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-07T08:23:47.000Z","updated_at":"2025-01-09T10:25:32.000Z","dependencies_parsed_at":"2025-01-31T16:11:03.003Z","dependency_job_id":null,"html_url":"https://github.com/cloudogu/k8s-security-demos","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fk8s-security-demos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fk8s-security-demos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fk8s-security-demos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fk8s-security-demos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudogu","download_url":"https://codeload.github.com/cloudogu/k8s-security-demos/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248018061,"owners_count":21034048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gke","google-kubernetes-engine","kubernetes","netpol","network-policy","pod-security-policy","podsecuritypolicies","psp","rbac","security","security-context","terraform"],"created_at":"2024-11-09T23:13:22.105Z","updated_at":"2025-04-09T10:09:44.155Z","avatar_url":"https://github.com/cloudogu.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"![](https://cloudogu.com/assets/blog/2019/Icon_K8Apps-1b648cccc5fe798e6e39e7a2471728e35e0ba6c8491fc281458da5b222a29513.png)\n\n# Kubernetes Security Demos\n\nDemos for several kubernetes security features \n\n\u003c!-- Update with `doctoc --notitle README.md`. See https://github.com/thlorenz/doctoc --\u003e\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n\n- [Overview](#overview)\n- [Running the demos](#running-the-demos)\n- [Credentials](#credentials)\n- [Blog Posts](#blog-posts)\n- [Setting up the clusters](#setting-up-the-clusters)\n - [Deleting clusters](#deleting-clusters)\n - [Costs](#costs)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n# Overview\n\nInitially, these demos were developed during the preparation for some talks on [Kubernetes appOps Security](https://github.com/cloudogu/k8s-appops-security-talks) and our [K8s application security training](https://cloudogu.com/en/trainings/?mtm_campaign=k8s-sec-demos\u0026mtm_kwd=trainings\u0026mtm_source=github\u0026mtm_medium=link).\n\nSee also our [series of blog posts](#blog-posts) on the topic.\n\nTested to run on Google Kubernetes Engine (GKE) with a local Linux machine. \nShould also work on Mac. \nShould run on all clusters that support NetworkPolicies and PodSecurityPolicies.\n\n\n1. ~~Role Based Access Controll (RBAC)~~ - RBAC has now been default for years. \nA showcase for the downsides of ABAC seems obsolete. \nIf you're interested check [git history](https://github.com/cloudogu/k8s-security-demos/tree/b94aa0a94358cc04f3f1beed80f755ac14b994da).\n2. [Network Policies](2-network-policies/Readme.md)\n3. [Security Context](3-security-context/Readme.md)\n4. [Pod Security Policies](4-pod-security-policies/Readme.md)\n\n# Running the demos\n\nEach demo is contained in its own sub folder, where each contains a \n \n* `apply.sh` that deploys the applications required for the demos and\n* `README.md` that contains the steps of the demo\n\nNote that the scripts also create entries to your `/etc/hosts`.\n\nAll Demos run inside the same cluster. Before running make sure to have your `kubeconfig` set to a non-productive cluster.\nIf you want, you can set one up on your GKE account using the script inside this repo. \nSee [Setting up the clusters](#setting-up-the-clusters).\n\n# Credentials\n\nIf not otherwise stated, the login credentials for the webapps are\n\n* User: `admin`\n* Password: `12345` \n\nIt's a demo after all! πŸ˜‰\n\n# Demo recordings\n\n## Security Context \n\n[![asciicast](https://asciinema.org/a/366999.svg)](https://asciinema.org/a/366999)\n\nRecorded live at [heiseDevSec 2020](https://cloudogu.github.io/k8s-appops-security-talks/2020-10-23-heise-devsec/#/).\n\n# Blog Posts\n\nThe examples evolved further while working on an article series called \"Kubernetes AppOps Security\" published in German Magazin JavaSPEKTRUM. Both English translation and German original can be found on the Cloudogu Blog.\n\n* 05/2019\n * [πŸ‡¬πŸ‡§ Network Policies - Part 1 - Good Practices](https://cloudogu.com/en/blog/k8s-app-ops-part-1)\n * [πŸ‡©πŸ‡ͺ Network Policies - Teil 1 - Good Practices](https://cloudogu.com/de/blog/k8s-app-ops-teil-1)\n* 06/2019\n * [πŸ‡¬πŸ‡§ Network Policies - Part 2 - Advanced Topics and Tips](https://cloudogu.com/en/blog/k8s-app-ops-part-2)\n * [πŸ‡©πŸ‡ͺ Network Policies - Teil 2 - Fortgeschrittene Themen und Tipps](https://cloudogu.com/de/blog/k8s-app-ops-teil-2)\n* 01/2020\n * [πŸ‡¬πŸ‡§ Security Context – Part 1: Good Practices](https://cloudogu.com/en/blog/k8s-app-ops-part-3-security-context-1)\n * [πŸ‡©πŸ‡ͺ Security Context – Teil 1: Good Practices](https://cloudogu.com/de/blog/k8s-app-ops-teil-3-security-context-1)\n* 02/2020\n * [πŸ‡¬πŸ‡§ Security Context - Background](https://cloudogu.com/en/blog/k8s-app-ops-part-4-security-context-2)\n * [πŸ‡©πŸ‡ͺ Security Context - HintergrΓΌnde](https://cloudogu.com/de/blog/k8s-app-ops-teil-4-security-context-2)\n* 04/2020\n * [πŸ‡¬πŸ‡§ Pod Security Policies – Good Practices](https://cloudogu.com/en/blog/k8s-app-ops-part-5-pod-security-policies-1)\n * [πŸ‡©πŸ‡ͺ Pod Security Policies – Good Practices](https://cloudogu.com/de/blog/k8s-app-ops-teil-5-pod-security-policies-1)\n* 05/2020\n * [πŸ‡¬πŸ‡§ Pod Security Policies – Good Practices](https://cloudogu.com/en/blog/k8s-app-ops-part-6-pod-security-policies-2)\n * [πŸ‡©πŸ‡ͺ Pod Security Policies – Good Practices](https://cloudogu.com/de/blog/k8s-app-ops-teil-6-pod-security-policies-2)\n\n# Setting up the clusters\n\nThis demos should run on most kubernetes clusters that have support for NetworkPolicies and PodSecurityPolicies.\n\nThis repo also features setting up a defined environment Google Kubernetes engine. \nYou can set it up using [createCluster.sh](createCluster.sh). \nIt uses terraform to roll out the clusters. If you prefer a bash-only variant, check [git history](https://github.com/cloudogu/k8s-security-demos/tree/b94aa0a94358cc04f3f1beed80f755ac14b994da).\n\nIn order to use the script\n\n* set your GKE `ZONE` and `PROJECT` in `config.sh` \n (alternatively, you can set these properties via env vars). \n Note that you can also set `CLUSTER_VERSION` (like `1.11`) and `MACHINE_TYPE` (like `n1-standard-2`).\n From time to time GKE drops support for older cluster versions, so you might need to set a newer one, if the one in \n `config.sh` is no longer supported at the time of execution. \n* set up a service account on GKE that allows terraform to do the setup\n```shell script\nsource config.sh\nSA=terraform-cluster\n\n# Create SA\ngcloud iam service-accounts create ${SA} --display-name ${SA} --project ${PROJECT}\n\n# Authorize (maybe roles/container.admin is enough?) \ngcloud projects add-iam-policy-binding ${PROJECT} \\\n --member serviceAccount:${SA}@${PROJECT}.iam.gserviceaccount.com --role=roles/editor\n\n# Export credentials\ngcloud iam service-accounts keys create \\\n --iam-account ${SA}@${PROJECT}.iam.gserviceaccount.com terraform/account.json\n``` \n* Have terraform installed (should work with 0.12 and 0.13)\n* Call `./create Cluster.sh`\n* Terraform will ask for confirmation before executing. \n If you don't want that, call `./createCluster.sh -auto-approve`\n\n## Deleting clusters \n\nYou can delete the cluster and entries to `/etc/hosts` once you're done using the `./delete-clusters.sh` script. \n\n## Costs \n\nFor just a quick create, demo, delete action the cost should be \u003c 10$.\nThe total infra cost for initially creating these demos was about 10$. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudogu%2Fk8s-security-demos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudogu%2Fk8s-security-demos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudogu%2Fk8s-security-demos/lists"}