https://github.com/do-community/k8s-iac-security-workshop

https://github.com/do-community/k8s-iac-security-workshop

Last synced: 3 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/do-community/k8s-iac-security-workshop
• Owner: do-community
• Created: 2021-10-01T19:22:25.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2021-10-07T14:40:51.000Z (over 4 years ago)
• Last Synced: 2025-01-16T17:00:54.860Z (over 1 year ago)
• Language: Mustache
• Size: 41 KB
• Stars: 1
• Watchers: 6
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Kubernetes Infrastructure as Code Gamified 

This workshop was first run at [SnykCon 2021](https://snyk.io/snykcon/). 

## Instructions 

1. By yourself or in a small group, spend at least 25 minutes looking through the files in this repository and try to identify at least 7 security vulnerabilities. 

There are three directories: 

- A terraform directory that sets up a Kubernetes cluster using DigitalOcean Kubernetes

- A helm directory that has files for setting up ingress-nginx

- An api-deployment directory that has yaml manifests to deploy an example api written in Go. 

Hint: 

- 2 high-severity security vulnerabilities

- 5 medium-severity security vulnerabilities

If you have no idea where to start looking, it’s okay! Pick an article from the resources section, read through it and try to find one issue to look for.

2. After looking through the repo, fork this into your github account, sign up for [Snyk](https://snyk.io/product/infrastructure-as-code-security/) and run this repo the IAC scanner. Make changes to fix the issues and then run the scan again. Celebrate when you have fixed the 7 vulnerabilities! 

### Resources 

- [OWASP Kubernetes Security Checklist](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html)

- [NSA Kubernetes Hardening Guidance](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF) 

- [Snyk Kubernetes Security | Issues and Best Practices](https://snyk.io/learn/kubernetes-security/)

- [Top 10 Kubernetes Application Security Hardening Techniques](https://blog.aquasec.com/kubernetes-hardening-techniques)

- [Overview of Cloud Native Security](https://kubernetes.io/docs/concepts/security/overview/)

- [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)