-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
176 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| ## Exercise — Network Policies | ||
|
|
||
| - Implement a system with 3 levels of security | ||
|
|
||
| (private pods, public pods, namespace pods) | ||
|
|
||
| - Apply it to the DockerCoins demo app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # Exercise — Network Policies | ||
|
|
||
| We want to to implement a generic network security mechanism. | ||
|
|
||
| Instead of creating one policy per service, we want to | ||
| create a fixed number of policies, and use a single label | ||
| to indicate the security level of our pods. | ||
|
|
||
| Then, when adding a new service to the stack, instead | ||
| of writing a new network policy for that service, we | ||
| only need to add the right label to the pods of that service. | ||
|
|
||
| --- | ||
|
|
||
| ## Specifications | ||
|
|
||
| We will use the label `security` to classify our pods. | ||
|
|
||
| - If `security=private`: | ||
|
|
||
| *the pod shouldn't accept any traffic* | ||
|
|
||
| - If `security=public`: | ||
|
|
||
| *the pod should accept all traffic* | ||
|
|
||
| - If `security=namespace`: | ||
|
|
||
| *the pod should only accept connections coming from the same namespace* | ||
|
|
||
| If `security` isn't set, assume it's `private`. | ||
|
|
||
| --- | ||
|
|
||
| ## Test setup | ||
|
|
||
| - Deploy a copy of the DockerCoins app in a new namespace | ||
|
|
||
| - Modify the pod templates so that: | ||
|
|
||
| - `webui` has `security=public` | ||
|
|
||
| - `worker` has `security=private` | ||
|
|
||
| - `hasher`, `redis`, `rng` have `security=namespace` | ||
|
|
||
| --- | ||
|
|
||
| ## Implement and test policies | ||
|
|
||
| - Write the network policies | ||
|
|
||
| (feel free to draw inspiration from the ones we've seen so far) | ||
|
|
||
| - Check that: | ||
|
|
||
| - you can connect to the `webui` from outside the cluster | ||
|
|
||
| - the application works correctly (shows 3-4 hashes/second) | ||
|
|
||
| - you cannot connect to the `hasher`, `redis`, `rng` services | ||
|
|
||
| - you cannot connect or even ping the `worker` pods |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| ## Exercise — RBAC | ||
|
|
||
| - Create two namespaces for users `alice` and `bob` | ||
|
|
||
| - Give each user full access to their own namespace | ||
|
|
||
| - Give each user read-only access to the other's namespace | ||
|
|
||
| - Let `alice` view the nodes of the cluster as well |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| # Exercise — RBAC | ||
|
|
||
| We want to: | ||
|
|
||
| - Create two namespaces for users `alice` and `bob` | ||
|
|
||
| - Give each user full access to their own namespace | ||
|
|
||
| - Give each user read-only access to the other's namespace | ||
|
|
||
| - Let `alice` view the nodes of the cluster as well | ||
|
|
||
| --- | ||
|
|
||
| ## Initial setup | ||
|
|
||
| - Create two namespaces named `alice` and `bob` | ||
|
|
||
| - Check that if we impersonate Alice, we can't access her namespace yet: | ||
| ```bash | ||
| kubectl --as alice get pods --namespace alice | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## Access for Alice | ||
|
|
||
| - Grant Alice full access to her own namespace | ||
|
|
||
| (you can use a pre-existing Cluster Role) | ||
|
|
||
| - Check that Alice can create stuff in her namespace: | ||
| ```bash | ||
| kubectl --as alice create deployment hello --image nginx --namespace alice | ||
| ``` | ||
|
|
||
| - But that she can't create stuff in Bob's namespace: | ||
| ```bash | ||
| kubectl --as alice create deployment hello --image nginx --namespace bob | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## Access for Bob | ||
|
|
||
| - Similarly, grant Bob full access to his own namespace | ||
|
|
||
| - Check that Bob can create stuff in his namespace: | ||
| ```bash | ||
| kubectl --as bob create deployment hello --image nginx --namespace bob | ||
| ``` | ||
|
|
||
| - But that he can't create stuff in Alice's namespace: | ||
| ```bash | ||
| kubectl --as bob create deployment hello --image nginx --namespace alice | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## Read-only access | ||
|
|
||
| - Now, give Alice read-only access to Bob's namespace | ||
|
|
||
| - Check that Alice can view Bob's stuff: | ||
| ```bash | ||
| kubectl --as alice get pods --namespace bob | ||
| ``` | ||
|
|
||
| - But that she can't touch this: | ||
| ```bash | ||
| kubectl --as alice delete pods --namespace bob --all | ||
| ``` | ||
|
|
||
| - Likewise, give Bob read-only access to Alice's namespace | ||
|
|
||
| --- | ||
|
|
||
| ## Nodes | ||
|
|
||
| - Give Alice read-only access to the cluster nodes | ||
|
|
||
| (this will require creating a custom Cluster Role) | ||
|
|
||
| - Check that Alice can view the nodes: | ||
| ```bash | ||
| kubectl --as alice get nodes | ||
| ``` | ||
|
|
||
| - But that Bob cannot: | ||
| ```bash | ||
| kubectl --as bob get nodes | ||
| ``` | ||
|
|
||
| - And that Alice can't update nodes: | ||
| ```bash | ||
| kubectl --as alice label nodes --all hello=world | ||
| ``` |