GithubHelp home page GithubHelp logo

steven-deboer / kustomizegoat Goto Github PK

View Code? Open in Web Editor NEW

This project forked from bridgecrewio/kustomizegoat

0.0 0.0 0.0 431 KB

Vulnerable Kustomize Kubernetes templates for training and education

HTML 86.34% Dockerfile 13.66%

kustomizegoat's Introduction

KustomizeGoat - Vulnerable by design Kustomize deployment

Maintained by Bridgecrew.io

Terragoat

Demonstrating secure and non secure kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.

Whats in the repo

The manifests are based on the following blog post, which demonstrates howto take a basic NGINX kubernetes deployment with many security issues, and use checkov to produce a fully compliant manifest to acheive the same NGINX deployment.

Using kustomize overlays (environments) we see both forms of these configurations here:

  • kustomize/base - Our base manifests, similar to the starting manifests in the blog post, insecure.

  • kustomize/overlays/test - A few security updates, but still a lot of non compliance.

  • kustomize/overlays/dev - An example of an empty overlay, produces the same results as base when merged with kustomize build

  • kustomize/overlays/prod - Fully compliant additions to base, this overlay renders a clean bill of health when scanned with Checkov.io's new Kustomize support!

Scanning with Checkov.io

Simply clone this repository, and point checkov at the git checkout path, Checkov's Kustomize framework will traverse the directories, find bases and overlays and template them out, finally running all of the builtin Kubernetes security policies against each of the rendered templates.

checkov --framework kustomize -d ./kustomizegoat

Checkov Kustomize Output

Checkov will provide results for each base and each overlay seperately, allowing you to see misconfigurations specific to each environment and wether those security issues are inherited from your base manifests.

To see this more clearly, we can ask Checkov to just return a single policy, such as CKV_K8S_11: CPU limits should be set from the CIS Kubernetes guidelines.

Here we can clearly see only the prod overlay passes, with all over overlays (and the base manifests) failing the policy.

Checkov Kustomize Output

We also added the --compact flag to reduce CLI output for the screenshots, otherwise the specific templated manifest would also be shown with the failed policies, like so:

Checkov Kustomize Output

Contributing

PR's and suggestions for further examples which highlight Kubernetes security posture are always welcome!

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application
  • KustomizeGoat - Vulnerable by design kustomize deployment

kustomizegoat's People

Contributors

eurogig avatar metahertz avatar schosterbarak avatar steven-deboer avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.