Completek8s Classroom notes 22/Oct/2023

kube-bench report

  • Bring up the kubeadm cluster
  • install krew to add plugins to kubectl Refer Here
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  curl -fsSLO "${KREW}.tar.gz" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
  • Now install tree plugin for kubectl
kubectl krew install tree
kubectl create deployment nginx --image nginx:1.16
  • Wait for the reports to be generated
  • Install trivy operator will create custom resources which are highlighted
kubectl get replicaset-nginx-85bfcd86d5 -o wide
# to get the report
kubectl get replicaset-nginx-85bfcd86d5 -o json

* Refer Here for the vulnerabilities

  • Find me resolutions to atleast 2 critical vulnerabilities

Attacker Gains Access to Pod

  • Default behavior of k8s allows us to access Pods across namespaces with in the cluster
  • The only way for us to stop this is by using a Network Policy
  • Next Steps

    • GateKeeper
    • App Armour
    • Certificates

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner