iBet uBet web content aggregator. Adding the entire web to your favor.
iBet uBet web content aggregator. Adding the entire web to your favor.



Link to original content: http://github.com/bridgecrewio/kustomizegoat
GitHub - bridgecrewio/kustomizegoat: Vulnerable Kustomize Kubernetes templates for training and education
Skip to content
/ kustomizegoat Public

Vulnerable Kustomize Kubernetes templates for training and education

47 stars 96 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bridgecrewio/kustomizegoat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
images
images
 
 
kustomize
kustomize
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
default.conf
default.conf
 
 
index.html
index.html
 
 

Repository files navigation

KustomizeGoat - Vulnerable by design Kustomize deployment

Maintained by Bridgecrew.io

Terragoat

Demonstrating secure and non secure kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.

Whats in the repo

The manifests are based on the following blog post, which demonstrates howto take a basic NGINX kubernetes deployment with many security issues, and use checkov to produce a fully compliant manifest to acheive the same NGINX deployment.

Using kustomize overlays (environments) we see both forms of these configurations here:

  • kustomize/base - Our base manifests, similar to the starting manifests in the blog post, insecure.

  • kustomize/overlays/test - A few security updates, but still a lot of non compliance.

  • kustomize/overlays/dev - An example of an empty overlay, produces the same results as base when merged with kustomize build

  • kustomize/overlays/prod - Fully compliant additions to base, this overlay renders a clean bill of health when scanned with Checkov.io's new Kustomize support!

Scanning with Checkov.io

Simply clone this repository, and point checkov at the git checkout path, Checkov's Kustomize framework will traverse the directories, find bases and overlays and template them out, finally running all of the builtin Kubernetes security policies against each of the rendered templates.

checkov --framework kustomize -d ./kustomizegoat

Checkov Kustomize Output

Checkov will provide results for each base and each overlay seperately, allowing you to see misconfigurations specific to each environment and wether those security issues are inherited from your base manifests.

To see this more clearly, we can ask Checkov to just return a single policy, such as CKV_K8S_11: CPU limits should be set from the CIS Kubernetes guidelines.

Here we can clearly see only the prod overlay passes, with all over overlays (and the base manifests) failing the policy.

Checkov Kustomize Output

We also added the --compact flag to reduce CLI output for the screenshots, otherwise the specific templated manifest would also be shown with the failed policies, like so:

Checkov Kustomize Output

Contributing

PR's and suggestions for further examples which highlight Kubernetes security posture are always welcome!

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application
  • KustomizeGoat - Vulnerable by design kustomize deployment

About

Vulnerable Kustomize Kubernetes templates for training and education

Resources

Readme
Activity
Custom properties

Stars

47 stars

Watchers

7 watching

Forks

96 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages