Task 1 - Setup Azure CloudShell

1. Setup your AzureCloud Shell

• Login to Azure Cloud Portal https://portal.azure.com/ with the provided login/password

  

• Click the link “Skip for now (14 days until this is required)” do not click the “Next” button

  

• Click the “Next” button

  

• Click on Cloud Shell icon on the Top Right side of the portal

  

• Select Bash

  

• Click on Mount Storage Account

  

• Select

  • Storage Account Subscription - Internal-Training
  • Apply

• Click Select existing Storage account, Click Next

  

• in Select Storage account Step,

  • Subscription: Internal-Training
  • Resource Group: Select the Resource group from the drop down: K8sXX-K8s101-workshop
  • Storage Account: Use existing storage account from dropdown.
  • File share: Use cloudshellshare
  • Click Select

  

• After 1-2 minutes, You should now have access to Azure Cloud Shell console

  

Task 2 - Get Kubernetes Ready

In this chapter, we will:

• Retrieve the script from GitHub
• Prepare the Kubernetes environment
• Set necessary variables

Clone script from github

cd $HOME
git clone https://github.com/FortinetCloudCSE/k8s-201-workshop.git
cd $HOME/k8s-201-workshop
git pull
cd $HOME

Get K8S Ready

You have multiple options for setting up Kubernetes:

1. If you are using the K8s-101 workshop environment, you can continue in the K8s-101 environment and choose Option 1.
2. If you are on the K8s-201 environment, choose Option 2 or Option 3 to start from K8s-201 directly.

Start Here

owner="tecworkshop"
alias k="kubectl"
currentUser=$(az account show --query user.name -o tsv)
resourceGroupName=$(az group list --query "[?contains(name, '$(whoami)') && contains(name, 'workshop')].name" -o tsv)
location=$(az group show --name $resourceGroupName --query location -o tsv)
scriptDir="$HOME"
svcname=$(whoami)-$owner
cfosimage="fortinetwandy.azurecr.io/cfos:255"
cfosnamespace="cfostest"

cat << EOF | tee > $HOME/variable.sh
#!/bin/bash -x
owner="tecworkshop"
alias k="kubectl"
currentUser=$(az account show --query user.name -o tsv)
resourceGroupName=$(az group list --query "[?contains(name, '$(whoami)') && contains(name, 'workshop')].name" -o tsv)
location=$(az group show --name $resourceGroupName --query location -o tsv)
scriptDir="$HOME"
svcname=$(whoami)-$owner
cfosimage="fortinetwandy.azurecr.io/cfos:255"
cfosnamespace="cfostest"
EOF
echo location=$location >> $HOME/variable.sh
echo owner=$owner >> $HOME/variable.sh
echo scriptDir=$scriptDir >> $HOME/variable.sh
echo cfosimage=$cfosimage >> $HOME/variable.sh
echo resourceGroupName=$resourceGroupName >> $HOME/variable.sh
chmod +x $HOME/variable.sh
line='if [ -f "$HOME/variable.sh" ]; then source $HOME/variable.sh ; fi'
grep -qxF "$line" ~/.bashrc || echo "$line" >> ~/.bashrc
source $HOME/variable.sh
$HOME/variable.sh
if [ -f $HOME/.ssh/known_hosts ]; then
grep -qxF "$vm_name" "$HOME/.ssh/known_hosts"  && ssh-keygen -R "$vm_name"
fi

echo ResourceGroup  = $resourceGroupName
echo Location = $location
echo ScriptDir = $scriptDir
echo cFOS docker image = $cfosimage
echo cFOS NameSpace = $cfosnamespace

 ResourceGroup = k8s54-k8s101-workshop
 Location = eastus
 ScriptDir = /home/k8s54
 cFOS docker image = fortinetwandy.azurecr.io/cfos:255
 cFOS NameSpace = cfostest

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.14.3/config/manifests/metallb-native.yaml
kubectl rollout status deployment controller -n metallb-system

local_ip=$(kubectl get node -o wide | grep 'control-plane' | awk '{print $6}')
cat <<EOF | tee metallbippool.yaml
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: first-pool
  namespace: metallb-system
spec:
  addresses:
  - $local_ip/32
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: example
  namespace: metallb-system
EOF
kubectl apply -f metallbippool.yaml 

kubectl get node -o wide

NAME          STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
node-worker   Ready    <none>          4m24s   v1.26.1   10.0.0.4      <none>        Ubuntu 22.04.4 LTS   6.5.0-1022-azure   cri-o://1.25.4
nodemaster    Ready    control-plane   9m30s   v1.26.1   10.0.0.5      <none>        Ubuntu 22.04.4 LTS   6.5.0-1022-azure   cri-o://1.25.4

scriptDir="$HOME"
cd $HOME/k8s-201-workshop/scripts/cfos/egress
./create_kubeadm_k8s_on_ubuntu22.sh
cd $scriptDir
svcname=$(kubectl config view -o json | jq .clusters[0].cluster.server | cut -d "." -f 1 | cut -d "/" -f 3)
echo $svcname

kubectl get node -o wide

NAME                        STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
k8strainingmasterk8s511     Ready    control-plane   4m23s   v1.26.1   10.0.0.4      <none>        Ubuntu 22.04.4 LTS   6.5.0-1022-azure   cri-o://1.25.4
k8strainingworker-k8s51-1   Ready    <none>          102s    v1.26.1   10.0.0.5      <none>        Ubuntu 22.04.4 LTS   6.5.0-1022-azure   cri-o://1.25.4

az network public-ip list -o table

Name                               ResourceGroup          Location    Zones    Address        IdleTimeoutInMinutes    ProvisioningState
---------------------------------  ---------------------  ----------  -------  -------------  ----------------------  -------------------
k8strainingmaster-k8s51-1PublicIP  k8s51-k8s101-workshop  eastus               52.224.219.58  4                       Succeeded
k8strainingworker-k8s51-1PublicIP  k8s51-k8s101-workshop  eastus               40.71.204.87   4                       Succeeded

kubectl get installation default -o jsonpath="{.spec}" | jq .

{
  "calicoNetwork": {
    "bgp": "Disabled",
    "containerIPForwarding": "Enabled",
    "hostPorts": "Enabled",
    "ipPools": [
      {
        "blockSize": 24,
        "cidr": "10.224.0.0/16",
        "disableBGPExport": false,
        "encapsulation": "VXLAN",
        "natOutgoing": "Enabled",
        "nodeSelector": "all()"
      }
    ],
    "linuxDataplane": "Iptables",
    "multiInterfaceMode": "None",
    "nodeAddressAutodetectionV4": {
      "firstFound": true
    }
  },
  "cni": {
    "ipam": {
      "type": "Calico"
    },
    "type": "Calico"
  },
  "controlPlaneReplicas": 2,
  "flexVolumePath": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
  "kubeletVolumePluginPath": "/var/lib/kubelet",
  "nodeUpdateStrategy": {
    "rollingUpdate": {
      "maxUnavailable": 1
    },
    "type": "RollingUpdate"
  },
  "nonPrivileged": "Disabled",
  "variant": "Calico"
}

masternodename="k8strainingmaster"-$(whoami)-1.${location}.cloudapp.azure.com
ssh ubuntu@$masternodename

workernodename="k8strainingworker-$(whoami)-1.${location}.cloudapp.azure.com"
ssh ubuntu@$workernodename

nodeip=$(kubectl get node -o jsonpath='{.items[0].status.addresses[0].address}')
echo $nodeip 
 
cat << EOF | tee sshclient.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: ssh-jump-host
  labels:
    app: ssh-jump-host
spec:
  containers:
  - name: ssh-client
    image: alpine
    command: ["/bin/sh"]
    args: ["-c", "apk add --no-cache openssh && apk add --no-cache curl && tail -f /dev/null"]
    stdin: true
    tty: true
EOF

kubectl apply -f sshclient.yaml
echo wait for pod ready, use Ctr-c to break
kubectl get pod  ssh-jump-host -w

kubectl exec -it ssh-jump-host -- sh -c "mkdir -p ~/.ssh"
kubectl cp ~/.ssh/id_rsa default/ssh-jump-host:/root/.ssh/id_rsa
kubectl exec -it ssh-jump-host -- sh -c 'chmod 600 /root/.ssh/id_rsa'

#!/bin/bash -x
owner="tecworkshop"
alias k="kubectl"
currentUser=$(az account show --query user.name -o tsv)
#resourceGroupName=$(az group list --query "[?tags.UserPrincipalName=='$currentUser'].name" -o tsv)
resourceGroupName=$(az group list --query "[?contains(name, '$(whoami)') && contains(name, 'workshop')].name" -o tsv)
location=$(az group show --name $resourceGroupName --query location -o tsv)
scriptDir="$HOME"
svcname=$(whoami)-$owner
cfosimage="fortinetwandy.azurecr.io/cfos:255"
cfosnamespace="cfostest"
echo "Using resource group $resourceGroupName in location $location"

cat << EOF | tee > $HOME/variable.sh
#!/bin/bash -x
alias k="kubectl"
scriptDir="$HOME"
aksVnetName="AKS-VNET"
aksClusterName=$(whoami)-aks-cluster
rsakeyname="id_rsa_tecworkshop"
remoteResourceGroup="MC"_${resourceGroupName}_$(whoami)-aks-cluster_${location} 
EOF
echo location=$location >> $HOME/variable.sh
echo owner=$owner >> $HOME/variable.sh
echo resourceGroupName=$resourceGroupName >> $HOME/variable.sh
echo cfosimage=$cfosimage >> $HOME/variable.sh
echo scriptDir=$scriptDir >> $HOME/variable.sh
echo cfosnamespace=$cfosnamespace >> $HOME/variable.sh

chmod +x $HOME/variable.sh
line='if [ -f "$HOME/variable.sh" ]; then source $HOME/variable.sh ; fi'
grep -qxF "$line" ~/.bashrc || echo "$line" >> ~/.bashrc
source $HOME/variable.sh
$HOME/variable.sh

az network vnet create -g $resourceGroupName  --name  $aksVnetName --location $location  --subnet-name aksSubnet --subnet-prefix 10.224.0.0/24 --address-prefix 10.224.0.0/16

aksSubnetId=$(az network vnet subnet show \
  --resource-group $resourceGroupName \
  --vnet-name $aksVnetName \
  --name aksSubnet \
  --query id -o tsv)
echo $aksSubnetId


[ ! -f ~/.ssh/$rsakeyname ] && ssh-keygen -t rsa -b 4096 -q -N "" -f ~/.ssh/$rsakeyname

az aks create \
    --name ${aksClusterName} \
    --node-count 1 \
    --vm-set-type VirtualMachineScaleSets \
    --network-plugin azure \
    --location $location \
    --service-cidr  10.96.0.0/16 \
    --dns-service-ip 10.96.0.10 \
    --nodepool-name worker \
    --resource-group $resourceGroupName \
    --kubernetes-version 1.28.9 \
    --vnet-subnet-id $aksSubnetId \
    --ssh-key-value ~/.ssh/${rsakeyname}.pub
az aks get-credentials -g  $resourceGroupName -n ${aksClusterName} --overwrite-existing

kubectl get node -o wide

NAME                             STATUS   ROLES   AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
aks-worker-39339143-vmss000000   Ready    agent   47m   v1.28.9   10.224.0.4    <none>        Ubuntu 22.04.4 LTS   5.15.0-1066-azure   containerd://1.7.15-1

nodeip=$(kubectl get node -o jsonpath='{.items[0].status.addresses[0].address}')
echo $nodeip 
 
cat << EOF | tee sshclient.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: ssh-jump-host
  labels:
    app: ssh-jump-host
spec:
  containers:
  - name: ssh-client
    image: alpine
    command: ["/bin/sh"]
    args: ["-c", "apk add --no-cache openssh && apk add --no-cache curl && tail -f /dev/null"]
    stdin: true
    tty: true
EOF

kubectl apply -f sshclient.yaml
echo wait for pod ready, use Ctr-c to break
kubectl get pod  ssh-jump-host -w

kubectl exec -it ssh-jump-host -- sh -c "mkdir -p ~/.ssh"
kubectl cp ~/.ssh/id_rsa_tecworkshop default/ssh-jump-host:/root/.ssh/id_rsa
kubectl exec -it ssh-jump-host -- sh -c 'chmod 600 /root/.ssh/id_rsa'
kubectl exec -it po/ssh-jump-host -- ssh azureuser@$nodeip

azureuser@aks-worker-32004615-vmss000000:~$ 

Summary

Your preferred Kubernetes setup is now ready, and you are prepared to move on to the next task.

Task 3 - Get Familiar with cFOS

In this chapter, we will:

• Clone the scripts from GitHub
• Create a cFOS image pull Secret
• Create a cFOS license ConfigMap
• Deploy cFOS using a Deployment
• Config cFOS with cli command

If you are not familiar with Kubernetes Secrets and ConfigMaps, refer to ConfigMap and Secret in cFOS for more details.

When deploying cFOS, concepts such as Role and ClusterRole will be required. To better understand RBAC, Role, and ClusterRole, refer to K8s Role and RoleBinding

For more information about cFOS, check the cFOS overview and cFOS role in K8s.

Create namespae

cfosnamespace="cfostest"
kubectl create namespace $cfosnamespace

Create Image Pull Secret for Kubernetes

Use the script below to create a Kubernetes secret for pulling the cFOS image from Azure Container Registry (ACR). You will need an access token from ACR to create the secret.

defaultServer="fortinetwandy.azurecr.io"

echo -n "Enter the login server (default is $defaultServer): "
read -r loginServer
loginServer=${loginServer:-$defaultServer}

echo "Using login server: $loginServer"

echo -n "Paste your UserName for acr server $loginServer: "
read -r userName
echo "$userName"

echo -n "Paste your accessToken for acr server $loginServer: "
read -rs accessToken
echo  # This adds a newline after the hidden input

# Echo a masked version of the token for confirmation
echo "Access token received (masked): ${accessToken:0:4}****${accessToken: -4}"

docker login $loginServer -u $userName -p $accessToken

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

filename="cfosimagepullsecret.yaml"
echo $accessToken
echo $loginServer 
kubectl create namespace $cfosnamespace
kubectl create secret -n $cfosnamespace docker-registry cfosimagepullsecret \
    --docker-server=$loginServer \
    --docker-username=$userName \
    --docker-password=$accessToken \
    --docker-email=wandy@example.com
kubectl get secret cfosimagepullsecret -n $cfosnamespace -o yaml | tee $filename
sed -i '/namespace:/d' $filename

kubectl get secret -n $cfosnamespace

NAME                  TYPE                             DATA   AGE
cfosimagepullsecret   kubernetes.io/dockerconfigjson   1      38m

kubectl get secret -n $cfosnamespace cfosimagepullsecret -o jsonpath="{.data.\.dockerconfigjson}" | base64 --decode | jq -r '.auths."fortinetwandy.azurecr.io".auth' | base64 --decode

Create cFOS configmap license

cFOS requires a license to be functional. Once your license is activated, download the license file and then upload it to Azure Cloud Shell.

Important: Do not change or modify the license file.

• After upload, your .lic license file will be located in $HOME
• replace your .lic license file name in the script below to create a ConfigMap for the cFOS license
• Once the cFOS container boots up, it will automatically retrieve the ConfigMap to apply the license.

read -p "Paste your cFOS License Filename:|  " licFilename
echo $

cd $HOME
cfoslicfilename=$licFilename
[ ! -f $cfoslicfilename ] && read -p "Input your cfos license file name :|  " cfoslicfilename
$scriptDir/k8s-201-workshop/scripts/cfos/generatecfoslicensefromvmlicense.sh $cfoslicfilename
kubectl apply -f cfos_license.yaml -n $cfosnamespace

cfos_license.yaml created.
configmap/fos-license created

echo get your cFOS license file ready.
cat <<EOF | tee cfos_license.yaml
apiVersion: v1
kind: ConfigMap
metadata:
    name: fos-license
    labels:
        app: fos
        category: license
data:
    license: |+
EOF
cd $HOME
cfoslicfilename="<<INSERT YOUR .LIC FILENAME HERE>>"
[ ! -f $cfoslicfilename ] && read -p "Input your cfos license file name :|  " cfoslicfilename
while read -r line; do printf "      %s\n" "$line"; done < $cfoslicfilename >> cfos_license.yaml
kubectl create -f cfos_license.yaml -n $cfosnamespace

check license configmap

kubectl get cm fos-license -o yaml -n $cfosnamespace

diff -s -b <(k get cm fos-license -n $cfosnamespace -o jsonpath='{.data}' | jq -r .license |  sed '${/^$/d}' ) $cfoslicfilename

Files /dev/fd/63 and CFOSVLTMxxxxxx.lic are identical

Bring up cFOS

Enter the following YAML manifest to deploy a cFOS Deployment. This deployment includes annotations to work around the cFOS mount permission issue. It also features an initContainers section to ensure cFOS gets DNS configuration from Kubernetes. The number of replicas is set to 1.

• The file Task1_1_create_cfos_serviceaccount.yaml includes a ServiceAccount configured with the necessary permissions to read ConfigMaps and Secrets from Kubernetes. This setup involves Kubernetes RBAC (Role-Based Access Control), which includes creating a Role and a Role Binding. For more details, refer to K8S RBAC.
• The field “securityContext” has linux priviledge defined for cFOS container. check K8s Security for more detail.
• The field “volumes” about how to create storage for cFOS,the example below cFOS will not persist the data into storage.

kubectl create namespace $cfosnamespace
kubectl apply -f $scriptDir/k8s-201-workshop/scripts/cfos/Task1_1_create_cfos_serviceaccount.yaml  -n $cfosnamespace

k8sdnsip=$(k get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
cat << EOF | tee > cfos7210250-deployment.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cfos7210250-deployment
  labels:
    app: cfos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/cfos7210250-container: unconfined
      labels:
        app: cfos
    spec:
      initContainers:
      - name: init-myservice
        image: busybox
        command:
        - sh
        - -c
        - |
          echo "nameserver $k8sdnsip" > /mnt/resolv.conf
          echo "search default.svc.cluster.local svc.cluster.local cluster.local" >> /mnt/resolv.conf;
        volumeMounts:
        - name: resolv-conf
          mountPath: /mnt
      serviceAccountName: cfos-serviceaccount
      containers:
      - name: cfos7210250-container
        image: $cfosimage
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN","SYS_ADMIN","NET_RAW"]
        ports:
        - containerPort: 443
        volumeMounts:
        - mountPath: /data
          name: data-volume
        - mountPath: /etc/resolv.conf
          name: resolv-conf
          subPath: resolv.conf
      volumes:
      - name: data-volume
        emptyDir: {}
      - name: resolv-conf
        emptyDir: {}
      dnsPolicy: ClusterFirst
EOF
kubectl apply -f cfos7210250-deployment.yaml -n $cfosnamespace
kubectl rollout status deployment cfos7210250-deployment -n $cfosnamespace &

Config cFOS

By default, cFOS does not have an SSH server installed, so you cannot SSH into cFOS for configuration. Instead, you need to use kubectl exec to access the cFOS shell for configuration. Another way to configure cFOS is by using a ConfigMap or the REST API.

For CLI configuration, the cli parser is “/bin/cli”, the default username is “admin” with no password.

To use kubectl exec to access the cFOS shell, you need to know the cFOS pod name first. You can use kubectl get pod -n $cfosnamespace to display the pod name, then use kubectl exec -it po/<cFOS podname> -n cfostest -- /bin/cli to access the cFOS shell:

podname=$(kubectl get pod -n $cfosnamespace -l app=cfos -o jsonpath='{.items[*].metadata.name}')
kubectl exec -it po/$podname -n $cfosnamespace -- /bin/cli

cFOS # diagnose sys license
Version: cFOS v7.2.1 build0255
Serial-Number: 
System time: Fri Jun 28 2024 12:46:41 GMT+0000 (UTC)

• cFOS package update

cFOS can keep updated with FortiGuard services. use below command to trigger package updates for all FortiGuard services.

execute update-now

2024/07/03 02:52:21 everything is up-to-date
2024/07/03 02:52:21 what to do next? stop
2024/07/03 02:52:21 created botnet ip db v7.3756
2024/07/03 02:52:21 DB updates notified!

Q&A

1. How much CPU/memory does cFOS consume in the cluster?

 kubectl top pod -n $cfosnamespace

2. How quickly does cFOS become fully functional from the moment it is created?

"The time for cFOS to become fully functional varies and involves several steps:
Downloading the cFOS image
Booting up the system
Applying the license
For a new installation, the process typically takes 1-3 minutes, depending on network connectivity speed and system resources." 

Cleanup

kubectl delete -f $scriptDir/k8s-201-workshop/scripts/cfos/Task1_1_create_cfos_serviceaccount.yaml  -n $cfosnamespace
kubectl delete namespace $cfosnamespace

do not delete cfosimagepullsecret.yaml and cfos_license.yaml, we will need this later.

What to do Next

if you want learn how to use cFOS for ingress protection , go directly to Chapter 7.

if you want learn how to use cFOS for egress protection , go directly to Chapter 8 and Chapter 9

if you want learn cFOS role in k8s security , check out Chapter 2.

if you want understand more about what is RBAC in k8s, check out Chapter 3 and Chapter4 .

if you want understand more about configmap, secret and how cFOS use configmap and secret, check out Chapter 5.

if you want undertsand what is k8s network and multus in general, check out Chapter 6 and Chapter 8.

Task 1 - Introduction to Kubernetes Security

Objective

This document provides an overview of security measures and strategies to protect workloads in Kubernetes, covering different phases of application lifecycle management.

Scope of Kubernetes Security

Applications running on Kubernetes include Cloud, Kubernetes Clusters, Containers, and Code (4C). Each layer of the Cloud Native security model builds upon the next outermost layer. The Code layer benefits from strong base (Cloud, Cluster, Container) security layers.

Securing workloads in Kubernetes involves multiple layers of the technology stack, from application development to runtime enforcement.

Application Development Phase

• Shift-left Approach: Focus on software supply chain security by checking the application code and dependencies before building application containers.

Tools: Fortinet Product FortiDevSec is build for this purpose

Application Deployment Phase

• Script Scanning: Scan deployment scripts like Terraform and CloudFormation, Secret, IAM etc to ensure they follow the principle of least privilege and comply with enterprise compliance requirements.
• Configuration Checks: Evaluate Kubernetes configurations against best practices and compliance standards, such as CIS benchmarks.
• Container Scanning: Scan container images for known vulnerabilities (CVEs).

Tools: Fortinet Product FortiDevSec , FortiCSPM are build for this purpose

Application Runtime Phase

• Configuration Drift: Continuously monitor for shifts in Kubernetes configurations, such as changes in application permissions or policies.
• Workload Protection: Implement measures to protect running workloads from threats through prevention, detection, and enforcement at both the Kubernetes API server level and at the Node/Container level or enforce via Networking Policy and container firewall.

Tools: Fortinet Product FortiCSPM can provide posture managment like Config Shift. Fortinet Product Fortiweb and FortiADC can provide application security to secure API traffic or other layer 4-7 malicious traffic coming into application POD Fortinet Product [cFOS] can provide Network Security to secure traffic enter or leaving application POD. Fortinet Product FortiXDR can provide Node/Container level protection by continusly detect abnormal activites at Node/Container level.

Runtime Workload Protection

Prevention/Protection via Network Security

• Actively stop unwanted traffic from entering or leaving Pods.
• Includes network security enhancements via deploy container based firewall like cFOS and CNI based Kubernetes network policies.

Prevention/Protection via Application Security

• Actively stop API or Layer 4-7 traffic entering Application Pods. For example, malicious API traffic via Kubernetes load balancer service entering application POD, malicious TCP/UDP/SCTP traffic from external entering into application Pod etc., the attack is embedded in the traffic payload.

Prevention with Detection

• Control Plane Monitoring: Use Kubernetes API audit logs to detect unusual API access.
• Runtime Monitoring: Employ Linux agents or agentless technology to detect unusual container syscalls, such as privilege escalation.

Kubernetes API Level Security

RBAC:

• RBAC Provides authorization control to Kubernetes resources by granting authenticated users minimal necessary permissions. We will talk about RBAC in next chapter.

Admission Control:

• Controls access at the Kubernetes API level. Built-in controllers include:

  • Pod Security Policy
  • Pod Security Admission (Pod Security Standards)

• Kubernetes offers integration capabilities with external tools like OPA and Kyverno for detailed Pod security control.

As of Kubernetes 1.21, PodSecurityPolicy (PSP) has been deprecated and is fully removed in Kubernetes 1.25 replaced by PSA. PSA can be used to evaluate the security settings of pod and container configurations to determine if they meet compliance requirements and enterprise security policies based on predefined policy levels."

Pod Security Contexts and Container SecurityContext

• PodSecurityContext or securityContext defines privileges for individual Pods or containers, allowing specific permissions like file access or running in privileged mode.

  • pod.spec.containers.allowPrivilegeEscalation

    AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process.

  • pod.spec.containers.privileged

    Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host.

For most containers, these two options shall be set to false. Other options like runAsUser and runAsGroup can specify a user and group ID for running the container. Applications like firewalls will require running as the root user.

Decide the SecurityContext for cFOS application

Containers, by default, inherit Linux capabilities from the container runtime, such as CRI-O or containerd. For instance, the CRI-O runtime typically grants most common Linux capabilities. Below are the capabilities provided by default in version cri1.25.4:

"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_KILL"

However, some network applications like cFOS may require additional privileges to be fully functional. For example, the capability CAP_NET_RAW is not included in the default list. Without CAP_NET_RAW, functions like ping cannot be executed inside the cFOS container.

Here is the brief purpose of mentioned capabilites

NET_RAW:

• Use RAW and PACKET sockets
• Bind to any address for transparent proxying
• This capability allows the program to craft IP packets from scratch, which includes sending and receiving ICMP packets (used in tools like ping).

NET_ADMIN:

• Grants a process extensive capabilities over network configuration and operations, such as NAT, iptables, etc.

SYS_ADMIN:

• It might be necessary for some advanced operations, such as configuring system-wide logging settings or manipulating system logs.

Task: Fix cFOS boot permission issue

• deploy imagepullsecret, serviceaccount

cd $HOME
kubectl create namespace cfostest
kubectl apply -f cfosimagepullsecret.yaml -n cfostest
kubectl create -f $scriptDir/k8s-201-workshop/scripts/cfos/Task1_1_create_cfos_serviceaccount.yaml  -n cfostest

cfosimage="fortinetwandy.azurecr.io/cfos:255"
cat << EOF | tee > cfos7210250-deployment.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cfos7210250-deployment
  labels:
    app: cfos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      labels:
        app: cfos
    spec:
      serviceAccountName: cfos-serviceaccount
      securityContext:
        runAsUser: 0
      containers:
      - name: cfos7210250-container
        image: $cfosimage
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          capabilities:
            add: ["NET_RAW"]
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /data
          name: data-volume
      volumes:
      - name: data-volume
        emptyDir: {}
EOF
kubectl apply -f cfos7210250-deployment.yaml -n cfostest 
kubectl rollout status deployment cfos7210250-deployment -n cfostest

cmd="iptables -t nat -L -v"
podname=$(kubectl get pod -n cfostest -l app=cfos -o jsonpath='{.items[*].metadata.name}')
kubectl exec -it po/$podname -n cfostest -- $cmd

iptables v1.8.7 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)

• Try to solve the permission issue by adjust the securityContext Setting.

sed -i 's/add: \["NET_RAW"\]/add: ["NET_RAW","NET_ADMIN"]/' cfos7210250-deployment.yaml
kubectl replace -f cfos7210250-deployment.yaml -n cfostest
kubectl rollout status deployment cfos7210250-deployment -n cfostest

cmd="iptables -t nat -L -v"
podname=$(kubectl get pod -n cfostest -l app=cfos -o jsonpath='{.items[*].metadata.name}')
kubectl exec -it po/$podname -n cfostest -- $cmd

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination  

Prevention/Protection via Network Security

Actively stop unwanted traffic from entering or leaving Pods. Includes network security enhancements and Kubernetes network policies.

• Network Policies and Container Firewalls

cFOS is the Next Generation Layer 7 Firewall which is our key foucs in this workshop. the use case of cFOS include

• Control both ingress and egress traffic within Kubernetes. Default policies allow unrestricted traffic flow, which can be restricted using network policies based on tags.
• Kubernetes network policies support basic Layer 3-4 filtering. For Layer 7 visibility, deploying a Next-Generation Firewall (NGFW) capable of deep packet inspection alongside applications in Kubernetes can provide enhanced security.

In this workshop, We will walk through using cFOS to protect:

• Ingress traffic to Pod - North Bound

  • Layer 4 traffic to Pod
  • Layer 7 traffic to Pod

• Egress traffic from Pod to Cluster External traffic(with Multus) - South Bound

  • POD traffic to Internet
  • POD traffic to Enterprise internal application , such as Database in the same VPC

• Egress traffic from Pod to Cluster External traffic(with Multus) - South Bound

  • POD traffic to Internet
  • POD traffic to Enterprise internal, such as Database in the same VPC

• Pod to Pod traffic - East-West (with Multus)

  • Pod to Pod via Pod IP address

Clean up

Delete cFOS deployment, but keep cfosimagepullsecret and serivce account, we will need this later

kubectl delete namespace cfostest
kubectl delete -f $scriptDir/k8s-201-workshop/scripts/cfos/Task1_1_create_cfos_serviceaccount.yaml  -n cfostest

Q&A

• Does cFOS require run with priviledged: true ?

Task 2 - Authentication, Authorization, and Admission Control

Objective

Understand the differences between Kubernetes Authentication, Authorization, and Admission Control.

Kubernetes Authentication, Authorization, and Admission Control

Kubernetes security involves three primary processes: Authentication, Authorization, and Admission Control. These processes ensure that only verified users can perform actions they are permitted to perform within the cluster, and that those actions are validated by Kubernetes before they are executed.

Authentication

Authentication in Kubernetes confirms the identity of a user or process. It’s about answering “who are you?” Kubernetes supports several authentication methods:

• Client Certificates
• Bearer Tokens
• Basic Authentication
• External Identity Providers such as OIDC or LDAP

Common Use Cases for Authentication

• Client Certificates: Used in environments where certificates are managed through a corporate PKI.
• Bearer Tokens: Common in automated processes or scripts that interact with the Kubernetes API.
• OIDC: Used in organizations with existing identity solutions like Active Directory or Google Accounts for user authentication.

Authorization

Authorization in Kubernetes determines what authenticated users are allowed to do. It answers “what can you do?” There are several authorization methods in Kubernetes:

• Role-Based Access Control (RBAC)
• Attribute-Based Access Control (ABAC)
• Node Authorization
• Webhook

Common Use Cases for Each Authorization Method

RBAC (Role-Based Access Control)

• Use Case: The most common authorization method, used to finely tune permissions at a granular level based on the roles assigned to users or groups.
• Example: Granting a developer read-only access to Pods in a specific namespace.

ABAC (Attribute-Based Access Control)

• Use Case: Used in environments requiring complex access control decisions based on attributes of the user, resource, or environment.
• Example: Allowing access to a resource based on the department attribute of the user and the sensitivity attribute of the resource.

Node Authorization

• Use Case: Specific to controlling what actions a Kubernetes node can perform, primarily in secure or multi-tenant environments.
• Example: Restricting nodes to only read Secrets and ConfigMaps referenced by the Pods running on them.

Webhook

• Use Case: Used when integrating Kubernetes with external authorization systems for complex security environments.
• Example: Integrating with an external policy engine that evaluates whether a particular action should be allowed based on external data not available within Kubernetes.

Admission Control

Admission Control in Kubernetes is a process that intercepts requests to the Kubernetes API before they are persisted to ensure that they meet specific criteria set by the administrator. Admission Controllers are plugins that govern and enforce how the cluster is used.

Admission controllers are not enabled by default. They must be explicitly configured and enabled when starting the Kubernetes API server. The admission control process is specified through the –enable-admission-plugins flag on the API server.

Common Admission Controllers

Pod Security Policies (PSP)

• Use Case: Ensures that Pods meet security requirements by denying the creation of Pods that do not adhere to defined policies.
• Example: Restricting the use of privileged containers or the host network.

ResourceQuota

• Use Case: Enforces limits on the aggregate resource consumption per namespace.
• Example: Preventing any one namespace from using more than a certain amount of CPU or memory resources.

LimitRanger

• Use Case: Enforces defaults and limits on the sizes of resources like Pods, containers, and PersistentVolumeClaims.
• Example: Ensuring that every Pod has a memory request and limit to avoid resource exhaustion.

Summary

Authentication, authorization, and admission control are foundational to Kubernetes security, ensuring only authenticated and authorized actions that meet the cluster’s policy requirements are performed within the cluster.

Task 1 Investigate your k8s environment

kubectl config view --minify -o jsonpath='{.users[0].name}'

kubectl config current-context

kubectl auth can-i list configmaps -n kube-system

kubectl auth can-i '*' '*' -A

kubectl config view

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8strainingmaster1.westus.cloudapp.azure.com:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: DATA+OMITTED
    client-key-data: DATA+OMITTED

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://k8s51-aks--k8s51-k8s101-wor-02b500-zf9ekyl6.hcp.eastus.azmk8s.io:443
  name: k8s51-aks-cluster
contexts:
- context:
    cluster: k8s51-aks-cluster
    user: clusterUser_k8s51-k8s101-workshop_k8s51-aks-cluster
  name: k8s51-aks-cluster
current-context: k8s51-aks-cluster
kind: Config
preferences: {}
users:
- name: clusterUser_k8s51-k8s101-workshop_k8s51-aks-cluster
  user:
    client-certificate-data: DATA+OMITTED
    client-key-data: DATA+OMITTED
    token: REDACTED

Task 3 - Introduction to Kubernetes Security

Objective

Learn how to use RBAC to control access to the Kubernetes Cluster.

What is RBAC

Kubernetes RBAC (Role-Based Access Control) is an authorization mechanism that regulates interactions with resources within a cluster. It operates by defining roles with specific permissions and binding these roles to users or service accounts. This approach ensures that only authorized entities can perform actions on resources such as pods, deployments, or secrets. By adhering to the principle of least privilege, RBAC allows each user or application access only to the permissions necessary for their tasks. It’s important to note that RBAC deals exclusively with authorization and not with authentication; it assumes that the identity of users or service accounts has been verified prior to enforcing access controls.

Below let’s walk through how to define a role with limited permission and apply to an user for access Kubernetes Cluster

Task 1: Create Read-Only User for Access Cluster

Create a New User Account for Developers to Access the Kubernetes Cluster, the user only has read-only permission

Create a Certificate for the User

• Generate a Certificate Signing Request (CSR):

  CSR

  generate Prepare CSR Check CSR Expected Output

  Kubernetes uses the group “system:authenticated” as a predefined label, which is trusted by external clients to dictate group membership. Kubernetes itself does not validate which group a user belongs to. This step involves generating a private key and a CSR using OpenSSL.

  openssl genrsa -out newuser.key 2048
  openssl req -new -key newuser.key -out newuser.csr -subj "/CN=tecworkshop/O=Devops"

  Create a YAML file for the CSR object in Kubernetes. This object includes the base64-encoded CSR data.

  cat << EOF | tee csrfortecworkshop.yaml
  apiVersion: certificates.k8s.io/v1
  kind: CertificateSigningRequest
  metadata:
    name: tecworkshop
  spec:
    groups:
      - system:authenticated
    request: $(cat newuser.csr | base64 | tr -d "\n")
    signerName: kubernetes.io/kube-apiserver-client
    usages:
      - client auth
  EOF
  kubectl create -f csrfortecworkshop.yaml

  Initially, the CSR will be in a pending state.

    kubectl get csr tecworkshop

  You should see Condition as Pending

  NAME          AGE   SIGNERNAME                            REQUESTOR           REQUESTEDDURATION   CONDITION
  tecworkshop   18s   kubernetes.io/kube-apiserver-client   kubernetes-admin    <none>              Pending

• Approve the CSR:

  Approve

  Approve Verify CSR Expected Output

  Approve the CSR to issue the certificate.

  kubectl certificate approve tecworkshop

  Verify the CSR has been approved and issued:

  kubectl get csr tecworkshop

  You should see Condition as Approved, Issued

  NAME          AGE   SIGNERNAME                            REQUESTOR           REQUESTEDDURATION   CONDITION
  tecworkshop   66s   kubernetes.io/kube-apiserver-client   kubernetes-admin    <none>              Approved,Issued

• Save the Certificate to a File:

  Save Cert

  Extract & Decode View Cert credentials context setup context change Verify Access Expected Output

  Extract and decode the certificate.

  kubectl get csr tecworkshop -o jsonpath='{.status.certificate}' | base64 --decode > newuser.crt

  Optionally, View Certificate Details:

  openssl x509 -in newuser.crt -text -noout

  Set Credentials for the New User:

  Configure kubectl to use the new user’s credentials.

  kubectl config set-credentials tecworkshop --client-certificate=newuser.crt --client-key=newuser.key

  Create a New Context for the New User:

  Set up a context that specifies the new user and cluster.

    adminContext=$(kubectl config current-context)
    adminCluster=$(kubectl config current-context | cut -d '@' -f 2)
    kubectl config set-context tecworkshop-context --cluster=$adminCluster --user=tecworkshop

  Switch to the New Context:

  Use the new context to interact with the cluster as the new user.

  kubectl config use-context tecworkshop-context

  Attempt to retrieve pods; it should fail due to lack of permissions.

  kubectl get pods

  You should see an error:

  Error from server (Forbidden): pods is forbidden: User "tecworkshop" cannot list resource "pods" in API group "" in the namespace "default"

Task 2: Authorize the User to List All Pods in All Namespaces

Use RBAC to grant the new user permission to list all pods across all namespaces.

kubectl config use-context $adminContext

kubectl create clusterrole readpods --verb=get,list,watch --resource=pods

kubectl create clusterrolebinding readpodsbinding --clusterrole=readpods --user=tecworkshop

kubectl config use-context tecworkshop-context

kubectl get pod -A

kubectl auth can-i get pods -A

yes

Switch back to admin user

make sure switch back to admin user for full control the k8s cluster

kubectl config use-context $adminContext

Summary

Above, we have detailed the process for granting human users the least privilege necessary to access the Kubernetes cluster. In the next chapter, we will explore how to restrict a POD or container by using a service account with the least privilege necessary for accessing the cluster.

This ensures that not only are human users operating under the principle of least privilege, but automated processes and applications within your cluster are also adhering to strict access controls, enhancing the overall security posture of your Kubernetes environment.

Clean up

kubectl config use-context $adminContext
kubectl config delete-context tecworkshop-context
kubectl config delete-user tecworkshop

Task 1 - Understanding Roles and ClusterRoles

Objective

Learn about RBAC Roles and ClusterRoles in Kubernetes.

In the previous chapter, we learned how to use RBAC to grant users permission to access Kubernetes. In this chapter, let’s dive into more detail about Roles and ClusterRoles.

Core Concepts of Kubernetes RBAC:

• Role: A Role is crucial when a Pod needs to access Kubernetes API resources such as ConfigMaps or Secrets within a specific namespace. It defines permissions that are limited to one namespace, enhancing security by restricting access scope.

• ClusterRole: Defines rules that represent a set of permissions across the entire cluster. It can also be used to grant access to non-namespaced resources like nodes.

• RoleBinding: Grants the permissions defined in a Role to a user or set of users within a specific namespace.

• ClusterRoleBinding: Grants the permissions defined in a ClusterRole to a user or set of users cluster-wide.

• Rules: Both Roles and ClusterRoles contain rules that define a set of permissions. A rule specifies a set of actions (verbs) that can be performed on a group of resources. Verbs include actions like get, watch, create, delete, etc., and resources might be pods, services, etc.

• Subjects: These are users, groups, or service accounts that are granted access based on their role.

• API Groups: Kubernetes organizes APIs into groups to streamline extensions and upgrades, categorizing resources to help manage the API’s evolution. Within these groups, verbs define permissible actions on the resources. These verbs are specified in Roles and ClusterRoles to grant precise control over resource access and manipulation.

• Service Account: Service Accounts are used by Pods to authenticate against the Kubernetes API, ensuring that API calls are securely identified and appropriately authorized based on the assigned roles and permissions.

Pre-defined RBAC Default Roles

Kubernetes comes with some default RBAC roles and clusterroles which are required for bootstrapping the cluster. For example, the role “system:controller:bootstrap-signer” grants the permission to Kubernetes nodes to bootstrap themselves. It automatically approves and signs certain CSRs used for node bootstrapping.

• pre-defined role system:controller:bootstrap-signer

this role is namespaced. it only grant permission to resource in namespace kube-system

kubectl get role system:controller:bootstrap-signer -n kube-system -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-03-22T05:51:03Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:controller:bootstrap-signer
  namespace: kube-system
  resourceVersion: "179"
  uid: b8180d72-f23d-4950-acb4-2c7a51cdb961
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch

To see which RoleBindings are associated with this role:

kubectl get rolebinding -n kube-system system:controller:bootstrap-signer -o yaml

• pre-definded Clusterrole

Another example is the cluster-admin ClusterRole, which grants full administrative privileges across the entire cluster. This role allows nearly unrestricted access to all resources in the cluster, making it suitable for highly privileged users who need to manage and configure any aspect of the cluster.

this clusterrole is cluster wide. it can apply to entire cluster with clusterrolebinding.

kubectl get clusterrole cluster-admin -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-03-22T05:51:03Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "135"
  uid: 471a5843-4f14-4cbb-ac61-02afb2a701fd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

kubectl get clusterrolebinding cluster-admin -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-05-13T00:00:45Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "136"
  uid: f5753f58-e17c-4ca6-9ff0-cd39eda5f654
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

Task: List all RBAC Default Roles and ClusterRoles

Take a look at what are the default role and clusterole pre-defined for a default cluster.

default role/clusterrole come with a label “kubernetes.io/bootstrapping=rbac-defaults”. you can use this label to filter the default role/clusterrole.

• List all default ClusterRoles:

kubectl get clusterrole -l kubernetes.io/bootstrapping=rbac-defaults

• List all default Roles:

kubectl get role -l kubernetes.io/bootstrapping=rbac-defaults -A

Task 2 - Creating and Managing Roles and ClusterRoles for cFOS

Objective

Create Roles and ClusterRoles for the cFOS application.

Core Concepts

• Role for ConfigMaps: cFOS needs to interact with the Kubernetes API to read ConfigMaps for configurations such as IPSEC, Firewall VIP, Policy config, and License.
• Role for Secrets: cFOS needs to interact with the Kubernetes API to read secrets, such as those used for pulling images,ipsec shared key etc.,

Create a ClusterRole for cFOS to Read ConfigMaps

cFOS pods require permission to read Kubernetes resources such as ConfigMaps. This includes permissions to watch, list, and read the ConfigMaps.

Define Rule for Role

A rule should define the least permission on an API resource:

• resources: List of Kubernetes API resources, such as configmaps.
• apiGroups: Lists which include the API group to which the resource belongs.
• verbs: The permissions on resources.

rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch

Decide to Use ClusterRole or Role

For cFOS, either a ClusterRole or a Role can be used as cFOS only requires minimal permissions.

kind: ClusterRole

Task 1 - Create a clusterrole for cFOS

You can use kubectl create command or use a yaml file. Use one of these options and then check the output!

kubectl create clusterrole configmap-reader --verb=get,list,watch --resource=configmaps 

cat << EOF | tee cfosConfigMapsClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: configmap-reader
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]
EOF
kubectl create -f cfosConfigMapsClusterRole.yaml 

kubectl get clusterrole configmap-reader

NAME               CREATED AT
configmap-reader   2024-05-05T08:11:35Z

kubectl describe clusterrole configmap-reader

Name:         configmap-reader
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  configmaps  []                 []              [get list watch]

Task 2 - Create a Role for cFOS to Read Secrets

cFOS pods require using imagePullSecret to pull containers from an image repository. A “role” or “ClusterRole” is required to read the “secret.”

Create a ClusterRole for cFOS to Read Secrets

Use one of these options and then check the commands

kubectl create clusterrole secrets-reader --verb=get,list,watch --resource=secrets --resource-name=cfosimagepullsecret,someothername

cat << EOF | tee cfosSecretClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
   name: secrets-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["cfosimagepullsecret","someothername"]
  verbs: ["get", "watch", "list"]
EOF
kubectl create -f cfosSecretClusterRole.yaml

kubectl describe clusterrole secrets-reader

Name:         secrets-reader
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names         Verbs
  ---------  -----------------  --------------         -----
  secrets    []                 [cfosimagepullsecret]  [get watch list]
  secrets    []                 [someothername]        [get watch list]

Summary

We defined two ClusterRoles for cFOS in this chapter. In the next chapter, we will explore how to bind these ClusterRoles to the serviceAccount of cFOS.

Clean up

kubectl delete clusterrole configmap-reader
kubectl delete clusterrole secrets-reader

Task 3 - Best practices for assigning permissions

Objective

Understand Best Practices for Assigning Permissions

Best Practices for Assigning Permissions in Kubernetes

Assigning permissions in Kubernetes through Roles and ClusterRoles is crucial for maintaining secure and efficient access control. Adhering to best practices ensures that permissions are granted appropriately and securely.

Principle of Least Privilege

• Description: Always grant only the minimum necessary permissions that users or services need to perform their tasks.
• Impact: Minimizes potential security risks by limiting the capabilities of users or automated processes.

Use Specific Roles for Namespace-Specific Permissions

• Role: Create a Role when you need to assign permissions that are limited to a specific namespace.
• Example: Assign a Role to a user that only needs to manage Pods and Services within a single namespace.

Use ClusterRoles for Cluster-Wide and Cross-Namespace Permissions

• ClusterRole: Utilize ClusterRoles to assign permissions that span across multiple namespaces or the entire cluster.
• Example: A ClusterRole may allow reading Nodes and PersistentVolumes, which are cluster-scoped resources.

Carefully Manage RoleBindings and ClusterRoleBindings

• RoleBindings: Use RoleBindings to grant the permissions defined in a Role or ClusterRole within a specific namespace.
• ClusterRoleBindings: Use ClusterRoleBindings to apply the permissions across the entire cluster.
• Impact: Ensures that permissions are appropriately scoped to either a namespace or the entire cluster.

Regularly Audit Permissions

• Periodic Reviews: Regularly review and audit permissions to ensure they align with current operational requirements and security policies.
• Tools: Use Kubernetes auditing tools or third-party solutions to monitor and log access and changes to RBAC settings.

Separate Sensitive Workloads

• Namespaces: Use namespaces to isolate sensitive workloads and apply specific security policies through RBAC.
• Impact: Enhances security by preventing unauthorized access across different operational environments.

Avoid Over-Permissioning Default Service Accounts

• Service Accounts: Modify default service accounts to restrict permissions, or create specific service accounts for applications that need specific permissions.
• Example: Disable the default service account token auto-mounting if not needed by the application.

Utilize Advanced RBAC Features and Tools

• Conditional RBAC: Explore using conditional RBAC for dynamic permission scenarios based on request context.
• Third-Party Tools: Consider tools like OPA (Open Policy Agent) for more complex policy enforcement beyond what Kubernetes native RBAC offers.

Summary

Following these best practices helps to secure Kubernetes environments by ensuring that permissions are carefully managed and aligned with the least privilege principle. Regular audits and careful planning of RBAC settings play crucial roles in maintaining operational security and efficiency.

Task 1 - Difference between RoleBindings and ClusterRoleBindings

Objective

Understand the difference between RoleBindings and ClusterRoleBindings.

Introduction

In Kubernetes, RoleBindings and ClusterRoleBindings are critical for linking roles with users, groups, or service accounts, granting them the necessary permissions to perform actions within the cluster.

RoleBinding

A RoleBinding grants permissions defined in a Role or ClusterRole within the confines of a specific namespace. This means that even if a ClusterRole is referenced by a RoleBinding, it only applies within that particular namespace.

ClusterRoleBinding

In contrast, a ClusterRoleBinding applies a ClusterRole across all namespaces within the cluster, including cluster-scoped resources. This broad application makes ClusterRoleBindings crucial for administrative tasks that span multiple namespaces.

Key Differences and Usage

• Scope:

  • RoleBinding: Limited to a single namespace.
  • ClusterRoleBinding: Applies across all namespaces.

• Usage:

  • RoleBinding: Often used when the permissions need to be namespace-specific.
  • ClusterRoleBinding: Used when permissions need to be cluster-wide, such as for system administrators or certain automated tasks.

• Flexibility and Policy Management:

  • Reusability: ClusterRoles are reusable across multiple namespaces with just additional RoleBindings, avoiding duplication.
  • Policy Management: ClusterRoles allow for centralized role definitions, simplifying the management and enforcement of policies across multiple namespaces.

Common Practices

• ClusterRole with RoleBinding: Useful for applying a set of permissions uniformly across multiple namespaces without granting cluster-wide access. This approach adheres to the principle of least privilege by restricting access to resources within specific namespaces.

• ClusterRole with ClusterRoleBinding: Typically used for roles that require broad access across the entire cluster, which is common in roles designed for cluster administrators or core system components.

Example

Below is an example of how to create a ClusterRole and bind it with a RoleBinding to apply it to a specific namespace:

kubectl create namespace my-namespace
# Create a ClusterRole
kubectl create clusterrole pod-reader --verb=get,list --resource=pods

# Bind the ClusterRole within a specific namespace
kubectl create rolebinding pod-reader-binding --clusterrole=pod-reader --serviceaccount=default:my-service-account --namespace=my-namespace

This setup allows the service account in ‘my-namespace’ to read pods in that namespace using permissions defined in a ClusterRole, demonstrating the flexibility and power of combining ClusterRoles with RoleBindings for fine-grained access control within specific areas of your cluster.

Task 2 - Creating and managing RoleBindings and ClusterRoleBindings

Object

Create and Manage RoleBinding and ClusterRoleBinding

Create ServiceAccount

K8s cluster internal application like cFOS will use serviceAccount with a JWT token to talk to k8s API. the Role or ClusterRole is bound to serviceAccount which in turn assocated with cFOS Pod.

ServiceAccounts are namespaced resources; if no namespace is supplied, they default to the “default” namespace.

Task 1: Create a serviceAccount for cFOS and bind to ClusterRole

kubectl create namespace cfostest
kubectl create serviceaccount cfos-serviceaccount -n cfostest 
kubectl create clusterrole configmap-reader --verb=get,list,watch --resource=configmaps 
kubectl create clusterrole secrets-reader --verb=get,list,watch --resource=secrets 

cd $HOME
kubectl apply -f cfosimagepullsecret.yaml -n cfostest
kubectl get sa -n cfostest 

kubectl patch serviceaccount cfos-serviceaccount -n cfostest \
  -p '{"imagePullSecrets": [{"name": "cfosimagepullsecret"}]}'

cat << EOF | tee cfos-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cfos-serviceaccount
  namespace: cfostest 
imagePullSecrets:
- name: cfosimagepullsecret
EOF
kubectl create -f cfos-serviceaccount.yaml 

kubectl describe sa cfos-serviceaccount -n cfostest

Name:                cfos-serviceaccount
Namespace:           cfostest
Labels:              <none>
Annotations:         <none>
Image pull secrets:  cfosimagepullsecret
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

Bind ClusterRole to ServiceAccount

Bind previously created ClusterRoles “configmap-reader” and “secrets-reader” to the service account in the namespace cfostest.

kubectl create rolebinding cfosrolebinding-configmap-reader --clusterrole=configmap-reader --serviceaccount=cfostest:cfos-serviceaccount -n cfostest
kubectl create rolebinding cfosrolebinding-secrets-reader --clusterrole=secrets-reader --serviceaccount=cfostest:cfos-serviceaccount -n cfostest

cat << EOF | tee cfosrolebinding.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cfosrolebinding-configmap-reader
  namespace: cfostest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: configmap-reader
subjects:
- kind: ServiceAccount
  name: cfos-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cfosrolebinding-secrets-reader
  namespace: cfostest
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: secrets-reader
subjects:
- kind: ServiceAccount
  name: cfos-serviceaccount
EOF
kubectl create -f cfosrolebinding.yaml -n cfostest

kubectl describe rolebinding cfosrolebinding-configmap-reader -n cfostest
kubectl describe rolebinding cfosrolebinding-secrets-reader -n cfostest

Name:         cfosrolebinding-configmap-reader
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  configmap-reader
Subjects:
  Kind            Name                 Namespace
  ----            ----                 ---------
  ServiceAccount  cfos-serviceaccount  cfostest
Name:         cfosrolebinding-secrets-reader
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  secrets-reader
Subjects:
  Kind            Name                 Namespace
  ----            ----                 ---------
  ServiceAccount  cfos-serviceaccount  cfostest

Check service account permission

Use kubectl auth can-i to check if a service account has the required permissions in a namespace.

kubectl auth can-i get configmaps --as=system:serviceaccount:cfostest:cfos-serviceaccount -n cfostest
kubectl auth can-i get secrets --as=system:serviceaccount:cfostest:cfos-serviceaccount -n cfostest

Both commands should return “yes”.

Check service account with kubectl pod

cat << EOF | kubectl -n cfostest apply -f - 
apiVersion: v1
kind: Pod
metadata:
  name: kubectl
  labels: 
    app: kubectl
spec:
  serviceAccountName: cfos-serviceaccount
  containers:
  - name: kubectl
    image: bitnami/kubectl
    command:
    - "sleep"
    - "infinity"
EOF

kubectl exec -it po/kubectl -n cfostest  -- kubectl get cm
kubectl exec -it po/kubectl -n cfostest  -- kubectl get secret

NAME               DATA   AGE
kube-root-ca.crt   1      3m32s
NAME                  TYPE                             DATA   AGE
cfosimagepullsecret   kubernetes.io/dockerconfigjson   1      3m25s

Task 2 - Create cFOS Deployment and with serviceaccount

• Using kubectl with a YAML file

cat << EOF | tee cfosPOD.yaml 
---
apiVersion: v1
kind: Pod
metadata:
  name: cfos-pod
spec:
  serviceAccountName: cfos-serviceaccount
  containers:
    - name: cfos-container
      image: $cfosimage
      securityContext:
        capabilities:
          add:
            - NET_ADMIN
            - NET_RAW
      volumeMounts:
      - mountPath: /data
        name: data-volume
  volumes:
  - name: data-volume
    emptyDir: {}
EOF
kubectl apply -f cfosPOD.yaml -n cfostest

kubectl describe po/cfos-pod -n cfostest | grep 'Service Account:'

Service Account: cfos-serviceaccount

clean up

kubectl delete namespace cfostest
kubectl delete clusterrole configmap-reader
kubectl delete clusterrole secrets-reader

Task 3 - Use cases and scenarios

Object

Understand the use case of Rolebinding and ClusterRoleBinding

Examples of Using Roles and ClusterRoles with Bindings in Kubernetes

Understanding when to use Role, ClusterRole, RoleBinding, and ClusterRoleBinding is crucial for proper access control within a Kubernetes environment. Here are some practical examples of each:

Namespace-Specific Permissions with Role and RoleBinding

Use Case: Managing Pods within a Single Namespace

• Scenario: You want to grant a user permissions to only create and delete Pods within the development namespace.
• Why Choose Role and RoleBinding:
  • Role: Defines permissions within a specific namespace.
  • RoleBinding: Applies those permissions to specific users within the same namespace.

Example:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: development
  name: pod-manager
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create", "delete"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-manager-binding
  namespace: development
subjects:
- kind: User
  name: "dev-user"
roleRef:
  kind: Role
  name: pod-manager
  apiGroup: rbac.authorization.k8s.io

Cluster-Wide Permissions with ClusterRole and ClusterRoleBinding

Use Case: Reading Secrets Across All Namespaces

• Scenario: A monitoring tool needs to read Secrets across all namespaces to gather configuration information.
• Why Choose ClusterRole and ClusterRoleBinding:
  • ClusterRole: Appropriate for defining permissions that span multiple namespaces.
  • ClusterRoleBinding: Applies permissions across the entire cluster.

Example:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader-binding
subjects:
- kind: ServiceAccount
  name: monitoring-service-account
  namespace: monitoring
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

Scoped ClusterRole with RoleBinding

Use Case: Limiting a Cluster-Wide Role to a Specific Namespace

• Scenario: You want to allow a CI/CD tool to manage Deployments and StatefulSets, but only within the staging namespace.
• Why Choose ClusterRole with RoleBinding:
  • ClusterRole: Defined once and can be used across multiple scenarios.
  • RoleBinding: Limits the broad permissions of a ClusterRole to a specific namespace, enhancing security without duplicating role definitions.

Example:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployment-manager
rules:
- apiGroups: ["apps", "extensions"]
  resources: ["deployments", "statefulsets"]
  verbs: ["get", "list", "create", "update", "delete"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployment-manager-binding
  namespace: staging
subjects:
- kind: ServiceAccount
  name: cicd-tool
  namespace: cicd
roleRef:
  kind: ClusterRole
  name: deployment-manager
  apiGroup: rbac.authorization.k8s.io

Summary

Choosing between Role and ClusterRole largely depends on the scope of access required. RoleBinding helps limit broader permissions defined in ClusterRole to specific namespaces, thereby providing flexibility and enhancing security through precise access control.

Task 1 - Access External Data

Overview of how POD access external data

Containers running in a Kubernetes pod can access external data in various ways, each catering to different needs such as configuration, secrets, and runtime variables. Here are the most common methods:

Environment Variables

Environment variables are a fundamental way to pass configuration data to the container. They can be set in a Pod definition and can derive from various sources:

• Directly in Pod Spec: Defined directly within the pod’s YAML configuration.
• From ConfigMaps: Extract specific data from ConfigMaps and expose them as environment variables.
• From Secrets: Similar to ConfigMaps, but used for sensitive data.

ConfigMaps

ConfigMaps allow you to decouple configuration artifacts from image content to keep containerized applications portable. The data stored in ConfigMaps can be consumed by containers in a pod in several ways:

• Environment Variables: As mentioned, loading individual properties into environment variables.
• Volume Mounts: Mounting the entire ConfigMap as a volume. This makes all data in the ConfigMap available to the container as files in a directory.

Secrets

Secrets are used to store and manage sensitive information such as passwords, OAuth tokens, and ssh keys. They can be mounted into pods similar to ConfigMaps but are designed to be more secure.

• Environment Variables: Injecting secrets into environment variables.
• Volume Mounts: Mounting secrets as files within the container, allowing applications to read secret data directly from the filesystem.

Persistent Volumes (PVs)

Persistent Volumes are used for managing storage in the cluster and can be mounted into a pod to allow containers to read and write persistent data.

• PersistentVolumeClaims: Containers use a PersistentVolumeClaim (PVC) to mount a PersistentVolume at a specified mount point. This volume lives beyond the lifecycle of an individual pod.

Volumes

Apart from ConfigMaps and Secrets, Kubernetes supports several other types of volumes that can be used to load data into a container:

• HostPath: Mounts a file or directory from the host node’s filesystem into your pod.
• NFS: A network file system (NFS) volume allows an existing NFS (Network File System) share to be mounted into your pod.
• Cloud Provider Specific Storage: Such as AWS Elastic Block Store, Google Compute Engine persistent storage, Azure File Storage, etc.

Downward API

The Downward API allows containers to access information about the pod, including fields such as the pod’s name, namespace, and annotations, and expose this information either through environment variables or files. By using the Downward API, applications can remain loosely coupled from Kubernetes APIs while still leveraging the dynamic configuration capabilities of the platform

Service Account Token

A Kubernetes Service Account can be used to access the Kubernetes API. The credentials of the service account (token) can automatically be placed into the pod at a well-known location (/var/run/secrets/kubernetes.io/serviceaccount), or can be accessed through environment variables, allowing the container to interact with the Kubernetes API.

cFOS will use this JWT token to authenticate itself with kubernetes API to perform action like read configMap etc.,

External Data Sources

Containers can also access external data via APIs or web services during runtime. This can be any external source accessible over the network, which the container can access using its networking capabilities.

These methods provide versatile options for passing data to containers, ensuring that Kubernetes can manage both stateless and stateful applications effectively.

Below is a configuration sample that allow cFOS to use external url to get a file as dstaddr in firewall policy

cat << EOF | tee cm_external_resource.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm-externalresource
  labels:
      app: fos
      category: config
data:
  type: partial
  config: |-
    config system external-resource
      edit "External-resource-files"
        set type address
        set resource "http://10.104.3.130/resources/urls"
        set refresh-rate 2
        set interface "eth0"
      next
    end
    config firewall policy
       edit 10
        set srcintf "eth0"
        set dstintf "eth0"
        set srcaddr "all"
        set dstaddr "External-resource-files"
        set action deny
       next
    end
EOF
kubectl apply -f cm_external_resource.yaml

kubectl describe cm cm-externalresource

Name:         cm-externalresource
Namespace:    default
Labels:       app=fos
              category=config
Annotations:  <none>

Data
====
config:
----
config system external-resource
  edit "External-resource-files"
    set type address
    set resource "http://10.104.3.130/resources/urls"
    set refresh-rate 2
    set interface "eth0"
  next
end
config firewall policy
   edit 10
    set srcintf "eth0"
    set dstintf "eth0"
    set srcaddr "all"
    set dstaddr "External-resource-files"
    set action deny
   next
end
type:
----
partial

BinaryData
====

Events:  <none>

Clean up

cat << EOF | kubectl apply -f - 
apiVersion: v1
data:
  config: |2
  type: full
kind: ConfigMap
metadata:
  labels:
    app: fos
    category: config
  name: cm-full-empty
EOF
kubectl delete cm cm-externalresource
kubectl delete cm cm-full-empty

the kubectl delete cm cm-externalresource will delete cm-externalresource configmap from k8s, but this will not delete config on cFOS. so we create a empty config with type “full” to reset cFOS config to factory default. this will remove all configuration which include cm-externalresource from cFOS

Task 2 - Creating and Managing ConfigMaps and Secrets

Objective

Learn how cFOS can use ConfigMaps and Secrets to Config itself

Access External Data with ConfigMap

cFOS can continusely watch the Add/Del/Update of the ConfigMap in K8s, then use configMap data to config cFOS.

ConfigMap holds configuration data for pods to consume. configuration data can be binary or text data , both is a map of string. cnofigmap data can be set to “immutable” to prevent the change.

cFOS has build in feature can read the configMap from k8s via k8s API. when cFOS POD serviceaccount configured with a permission to read configMaps, cFOS can read configMap as it’s configuration such as license data , firewall policy related config etc.,

Task: Create a configMap for cFOS to import license

cd $HOME
kubectl create namespace cfostest
kubectl apply -f cfosimagepullsecret.yaml -n cfostest
kubectl apply -f $scriptDir/k8s-201-workshop/scripts/cfos/Task1_1_create_cfos_serviceaccount.yaml  -n cfostest

k8sdnsip=$(k get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
cat << EOF | tee > cfos7210250-deployment.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cfos7210250-deployment
  labels:
    app: cfos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/cfos7210250-container: unconfined
      labels:
        app: cfos
    spec:
      initContainers:
      - name: init-myservice
        image: busybox
        command:
        - sh
        - -c
        - |
          echo "nameserver $k8sdnsip" > /mnt/resolv.conf
          echo "search default.svc.cluster.local svc.cluster.local cluster.local" >> /mnt/resolv.conf;
        volumeMounts:
        - name: resolv-conf
          mountPath: /mnt
      serviceAccountName: cfos-serviceaccount
      containers:
      - name: cfos7210250-container
        image: $cfosimage
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN","SYS_ADMIN","NET_RAW"]
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /data
          name: data-volume
        - mountPath: /etc/resolv.conf
          name: resolv-conf
          subPath: resolv.conf
      volumes:
      - name: data-volume
        emptyDir: {}
      - name: resolv-conf
        emptyDir: {}
      dnsPolicy: ClusterFirst
EOF
kubectl apply -f cfos7210250-deployment.yaml -n cfostest
kubectl rollout status deployment cfos7210250-deployment -n cfostest

kubectl logs --tail=100 -n cfostest -l app=cfos | grep license

cat <<EOF | tee cfos_license.yaml
apiVersion: v1
kind: ConfigMap
metadata:
    name: cfos-license
    labels:
        app: fos
        category: license
data:
    license: |+
EOF

licfile="CFOSVLTM24000016.lic"
while read -r line; do printf "      %s\n" "$line"; done < $licfile >> cfos_license.yaml

kubectl create -f cfos_license.yaml -n cfostest  

kubectl logs -f  -l app=cfos -n cfostest

podname=$(kubectl get pod -n cfostest -l app=cfos -o jsonpath='{.items[*].metadata.name}')
kubectl exec -it po/$podname -n cfostest -- /bin/cli

diag sys license

cFOS # diagnose sys license
Status: Valid license
SN: CFOSVLTM240000**
Valid From: 2024-05-23
Valid To: 2024-07-25

Task 2 - Use cFOS ConfigMap for Firewall VIP config

cat << EOF | tee fosconfigmapfirewallvip.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: foscfgvip
  labels:
      app: fos
      category: config
data:
  type: partial
  config: |-
    config firewall vip
           edit "test"
               set extip "10.244.166.15"
               set mappedip "10.244.166.18"
               set extintf eth0
               set portforward enable
               set extport "8888"
               set mappedport "80"
           next
       end
EOF
kubectl create -f fosconfigmapfirewallvip.yaml -n cfostest

2024-05-14_10:57:18.63416 INFO: 2024/05/14 10:57:18 received a new fos configmap
2024-05-14_10:57:18.63417 INFO: 2024/05/14 10:57:18 configmap name: foscfgvip, labels: map[app:fos category:config]
2024-05-14_10:57:18.63417 INFO: 2024/05/14 10:57:18 got a fos config
2024-05-14_10:57:18.63417 INFO: 2024/05/14 10:57:18 applying a partial fos config...
2024-05-14_10:57:19.42525 INFO: 2024/05/14 10:57:19 fos config is applied successfully.

cat << EOF | kubectl create -n cfostest -f - 
apiVersion: v1
kind: ConfigMap
metadata:
  name: foscfgvip-del
  labels:
      app: fos
      category: config
data:
  type: partial
  config: |-
    config firewall vip
           del "test"
    end
EOF

cat << EOF | kubectl -n cfostest apply -f - 

apiVersion: v1
data:
  config: |
  type: full
kind: ConfigMap
metadata:
  labels:
    app: fos
    category: config
  name: cm-full-empty
EOF

kubectl logs -f -l app=cfos -n cfostest

2024-05-14_12:22:58.24465 INFO: 2024/05/14 12:22:58 received a new fos configmap
2024-05-14_12:22:58.24466 INFO: 2024/05/14 12:22:58 configmap name: cm-full-empty, labels: map[app:fos category:config]
2024-05-14_12:22:58.24466 INFO: 2024/05/14 12:22:58 got a fos config
2024-05-14_12:22:58.24493 INFO: 2024/05/14 12:22:58 applying a full fos config...

Access External Data with Secrets

Kubernetes Secrets are objects that store sensitive data such as passwords, OAuth tokens, SSH keys, etc. The primary purpose of using secrets is to protect sensitive configuration from being exposed in your application code or script. Secrets provide a mechanism to supply containerized applications with confidential data while keeping the deployment manifests or source code non-confidential.

Benefits of Using Secrets

• Security: Secrets keep sensitive data out of your application code and Pod definitions. Management: Simplifies sensitive data management as updates to secrets do not require image rebuilds or application redeployments.
• Flexibility: Can be mounted as data volumes or exposed as environment variables to be used by a container in a Pod. Also, they can be used by the Kubernetes system itself for things like accessing a private image registry.

How to Create Secrets

• use KubeCTL or YAML file
  ​

  Using kubectl cli Expected Output Using yaml File

  kubectl create secret generic ipsec-shared-key --from-literal=ipsec-shared-pass=12345678 -n cfostest

  use kubectl get secret ipsec-shared-key -o yaml -n cfostest can check the secret just created.

  the password “12345678” encoded with base64 and saved in k8s. you can still see the original password with

  kubectl get secret ipsec-shared-key -o json -n cfostest | jq -r '.data["ipsec-shared-pass"]' | base64 -d

  cat << EOF | kubectl apply -n cfostest -f - 
  apiVersion: v1
  kind: Secret
  metadata:
    name: ipsec-shared-key
  data:
    ipsec-shared-pass: $(echo 12345678 | base64)
  type: Opaque
  EOF

  The type field helps Kubernetes software and developers know how to treat the contents of the secret. The type Opaque is one of several predefined types that Kubernetes supports for secrets.

  Info

  Opaque: This is the default type for a secret. It indicates that the secret contains arbitrary data that isn’t structured in any predefined way specific to Kubernetes. This type is used when you are storing secret data that doesn’t fit into any of the other types of secrets that Kubernetes understands (like docker-registry or tls). the other options for type are : “kubernetes.io/service-account-token:”, “kubernetes.io/dockerconfigjson”,“kubernetes.io/tls” etc., when we create secret for store docker login secret, we have to use type: kubernetes.io/dockerconfigjson.

Consuming Secrets in a Pod

• Environment Variables

Secret can be passed into POD as environment variables.

• Mount Secret as Volume

• ImagePullSecrets

Secret can be used in field “ImagePullSecrets” in serviceaccount or POD manifest for example. you can define a secriceaccount to include an ImagePullSecrets. or you can use secret in Pod or “Deployment” manifest for pod to pull image with secret.

• As port of ConfigMap

Secret can be part of the ConfigMap for configuration purpose. for example, we can embeded secret in configMap for cFOS.

• Use external secret management system

for example, HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault . These systems can dynamically inject secrets into your applications, often using a sidecar container or a mutating webhook to provide secrets to the application securely.

Task 1 - use secret in configMap

kubectl create secret generic ipsec-psks --from-literal=psk1="12345678"

kubectl apply -f $scriptDir/k8s-201-workshop/scripts/cfos/02_clusterip_cfos.yaml -n cfostest

cat << EOF | kubectl apply -n cfostest -f - 
apiVersion: v1
data:
  type: partial
  config: |-
    config vpn ipsec phase1-interface
        edit "test-p1"
           set interface "eth0"
           set remote-gw 10.96.17.42
           set peertype any
           set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
           set psksecret {{ipsec-psks:psk1}}
           set auto-negotiate disable
         next
     end
    config vpn ipsec phase2-interface
        edit "test-p2"
            set phase1name "test-p1"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set dhgrp 14 15 5
            set src-subnet 10.4.96.0 255.255.240.0
            set dst-subnet 10.0.4.0 255.255.255.0
        next
    end
kind: ConfigMap
metadata:
  labels:
    app: fos
    category: config
  name: cm-ipsecvpn
EOF

podname=$(kubectl get pod -n cfostest -l app=cfos -o jsonpath='{.items[*].metadata.name}')
kubectl exec -it po/$podname -n cfostest -- /bin/cli

Summary

cFOS has build-in support for read data from k8s configMaps and Secrets , which enable multiple cFOS container in one cluster to share the configuration data.

clean up

kubectl delete -f cfos7210250-deployment.yaml -n cfostest
kubectl delete svc ipsec -n cfostest
kubectl delete clusterrole configmap-reader
kubectl delete clusterrole secrets-reader
kubectl delete cm cm-full-empty -n cfostest 
kubectl delete cm cm-full-empty -n cfostest
kubectl delete cm foscfgvip -n cfostest 
kubectl delete cm foscfgvip-del -n cfostest 
kubectl delete cm cm-ipsecvpn -n cfostest

Task 3 - Creating and Managing Storage

Use external data

Application like cFOS may persist the data such as license, configuration data, log etc to storage that outside of the POD. for example, cFOS container will like to mount /data to other Volume.

to do that, we have to create a “Volume” attached to POD for container to mount

1. field spec.template.spec.containers.volmeMounts will try to mount /data directory in cfos to Volume /data-volume
2. field spec.template.spec.volumens define the volume with name “data-volume” and it’s actual storage location is on host directory /cfosdata

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: cfos-deployment
spec:
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      labels:
        app: cfos
    spec:
      containers:
      - name: cfos
        image: $cfosimage
        securityContext:
          capabilities:
            add: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]
        volumeMounts:
        - mountPath: /data
          name: data-volume
      volumes:
      - name: data-volume
        hostPath:
          path: /cfosdata
          type: DirectoryOrCreate 

Volume Types

• PVC (Persistent Volume Claims)

Persistent Volume Claims are a way of letting users consume abstract storage resources, while allowing administrators to manage the provisioning of storage and its underlying details in a flexible manner. PVCs are used in scenarios where persistent storage is needed for stateful applications, such as databases, key-value stores, and file storage.

• emptyDir

An emptyDir volume is created when a Pod is assigned to a Node, and it exists as long as that Pod is running on that Node. The data in an emptyDir volume is deleted when the Pod is removed.

• nfs (Network File System)

An nfs volume allows an existing NFS (Network File System) share to be mounted into a Pod. NFS volumes are often used in environments where data needs to be quickly and easily shared between Pods.

• awsElasticBlockStore, gcePersistentDisk, and azureDisk

These volumes allow you to integrate Kubernetes Pods with cloud provider-specific storage solutions, like AWS EBS, GCE Persistent Disks, and Azure Disk.

• hostPath

A path directly on host node.

Example 1 - config cfos deployment to use PVC

scriptDir=$HOME
kubectl create namespace cfostest
kubectl apply -f cfosimagepullsecret.yaml -n cfostest
kubectl apply -f $scriptDir/k8s-201-workshop/scripts/cfos/Task1_1_create_cfos_serviceaccount.yaml  -n cfostest

cat << EOF | kubectl apply -n cfostest -f - 
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: cfosdata
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
EOF

cat << EOF | kubectl apply -n cfostest -f - 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cfos7210250-deployment
  labels:
    app: cfos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/cfos7210250-container: unconfined
      labels:
        app: cfos
    spec:
      serviceAccountName: cfos-serviceaccount
      containers:
      - name: cfos7210250-container
        image: $cfosimage
        securityContext:
          capabilities:
              add: ["NET_ADMIN","SYS_ADMIN","NET_RAW"]
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /data
          name: data-volume
      volumes:
      - name: data-volume
        persistentVolumeClaim:
          claimName: cfosdata

EOF

kubectl delete deployment cfos7210250-deployment -n cfostest 

Example 2 - config cfos deployment to use emptyDir

With this configuration, the /data lifecycle share POD lifecycle. when POD gone, the data will also gone. If using this configuration, make sure cFOS use configmap for all the configuration, and send all log to remote syslog server to prevent loss of the log.

to use emptyDir, just change spec.template.spec.volmumens to “emptyDir”

cat << EOF | kubectl apply -n cfostest -f - 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cfos7210250-deployment
  labels:
    app: cfos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/cfos7210250-container: unconfined
      labels:
        app: cfos
    spec:
      serviceAccountName: cfos-serviceaccount
      containers:
      - name: cfos7210250-container
        image: $cfosimage
        securityContext:
          capabilities:
              add: ["NET_ADMIN","SYS_ADMIN","NET_RAW"]
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /data
          name: data-volume
      volumes:
      - name: data-volume
        emptyDir: {}

EOF

clean up

kubectl delete namespace cfostest
kubectl delete clusterrole configmap-reader
kubectl delete clusterrole secrets-reader

Task 1 - Review of Kubernetes Default Networking

What is CNI?

The Container Network Interface (CNI) is a standard that defines how network interfaces are managed in Linux containers. It’s widely used in container orchestration systems, like Kubernetes, to provide networking for pods and their containers. CNI allows for a plug-and-play approach to network connectivity, supporting a range of networking tasks from basic connectivity to more advanced network configurations.

Here are some of the major CNI plugins widely used across the industry:

• Calico
• Flannel
• Weave Net
• Cilium
• Canal

for managed k8s like AKS, because it ususally require integrate with VNET, so azure has it’s own CNI which is “azure-vnet” cni.

• Azure AKS “azure-vnet”
• AWS EKS “amazon VPC CNI”
• Googke GKE “kubenet” or “calico etc”

all these CNI from managed k8s allow POD use subnet from VNET/VPC address space.

normally, the cni configuration can be found from each node “/etc/cni/net.d” directory.

for example on AKS worker node.

azureuser@aks-worker-36032082-vmss000000:~$ sudo cat /etc/cni/net.d/10-azure.conflist 
{
   "cniVersion":"0.3.0",
   "name":"azure",
   "plugins":[
      {
         "type":"azure-vnet",
         "mode":"transparent",
         "ipsToRouteViaHost":["169.254.20.10"],
         "ipam":{
            "type":"azure-vnet-ipam"
         }
      },
      {
         "type":"portmap",
         "capabilities":{
            "portMappings":true
         },
         "snat":true
      }
   ]
}

Above you can find the CNI plugin is “azure-vnet”. which means POD will use VNET subnet address space.

Kubernetes networking basics

Networking is a central part of Kubernetes, but it can be challenging to understand exactly how it is expected to work. There are 4 distinct networking problems to address:

1. Highly-coupled container-to-container communications: this is solved by Pods and localhost communications.
2. Pod-to-Pod communications: this is the primary focus of this document.
3. Pod-to-Service communications: this is covered by Services.
4. External-to-Service communications: this is also covered by Services.

Kubernetes is all about sharing machines among applications. Typically, sharing machines requires ensuring that two applications do not try to use the same ports. Coordinating ports across multiple developers is very difficult to do at scale and exposes users to cluster-level issues outside of their control.

Kubernetes IP address ranges

Kubernetes clusters require to allocate non-overlapping IP addresses for Pods, Services and Nodes, from a range of available addresses configured in the following components:

1. The network plugin is configured to assign IP addresses to Pods.
2. The kube-apiserver is configured to assign IP addresses to Services.
3. The kubelet or the cloud-controller-manager is configured to assign IP addresses to Nodes.

1. Container-to-Container Networking

Within a pod, containers share the same IP address and port space, which means they can communicate with each other using localhost. This type of networking is the simplest in Kubernetes and is intended for tightly coupled application components that need to communicate frequently and quickly.

Benefits: Efficient communication due to shared network namespace; no need for IP management per container. Use case: Inter-process communication within a pod, such as between a web server and a local cache or database.

2. Pod-to-Pod Networking

Pod-to-pod communication occurs between pods across the same or different nodes within the Kubernetes cluster. Each pod is assigned a unique IP address, irrespective of which node it resides on. This setup is enabled through a flat network model that allows direct IP routing without NAT between pods.

Implementation: Typically handled by a CNI (Container Network Interface) plugin that configures the underlying network to allow seamless pod-to-pod communication. Common plugins include Calico, Weave, and Flannel.

Challenges: Ensuring network policies are in place to control access and traffic between pods for security purposes.

3. Pod-to-Service Networking

Kubernetes services are abstractions that define a logical set of pods and a policy by which to access them. Services provide stable IP addresses and DNS names to which pods can send requests. Behind the scenes, a service routes traffic to pod endpoints based on labels and selectors.

Benefits: Provides a reliable and stable interface for intra-cluster service communication, handling the load balancing across multiple pods.

Implementation: Uses kube-proxy, which runs on every node, to route traffic or manage IP tables to direct traffic to the appropriate backend pods.

4. External-to-Service Networking

• External-to-service communication is handled through services exposed to the outside of the cluster. This can be achieved in several ways:

• NodePort: Exposes the service on a static port on the node’s IP. External traffic is routed to this port and then forwarded to the appropriate service.

• LoadBalancer: Integrates with external cloud load balancers, providing a public IP that is mapped to the service.

• Ingress: Manages external access to the services via HTTP/HTTPS, providing advanced routing capabilities, SSL termination, and name-based virtual hosting.

Benefits: Allows external users and systems to interact with applications running within the cluster in a controlled and secure manner.

Challenges: Requires careful configuration to ensure security, such as setting up appropriate firewall rules and security groups.

These different networking types together create a flexible and powerful system for managing both internal and external communications in a Kubernetes environment. The design ensures that applications are scalable, maintainable, and accessible, which is crucial for modern cloud-native applications.

Task 2 - Challenges of Single network interface

Using a single network interface in Kubernetes clusters can present several challenges that impact network performance, security, and scalability. Here are some key challenges:

1. Network Performance and Bandwidth Congestion: A single network interface can become a bottleneck as all traffic, including intra-cluster communication, ingress, and egress, passes through it. This can lead to network congestion and reduced performance. Latency: High traffic volumes can increase latency, affecting the responsiveness of applications and services.

2. Scalability Limited Capacity: As the number of pods and services increases, the single network interface may not handle the growing network load efficiently, limiting the cluster’s scalability. Resource Contention: Pods and services might compete for network resources, leading to performance degradation.

3. Security Single Point of Failure: Relying on a single network interface makes the cluster vulnerable to network failures. If the interface goes down, the entire network communication within the cluster can be disrupted. Limited Isolation: It is harder to implement network policies and isolate traffic between different services and namespaces, increasing the risk of security breaches and unauthorized access.

4. Network Policies and Isolation Complexity in Implementing Policies: Enforcing network policies to control traffic flow between pods and services can be more complex with a single network interface, especially in multi-tenant environments. Namespace Isolation: Achieving proper network isolation between different namespaces or projects can be challenging without separate interfaces.

5. High Availability and Redundancy Lack of Redundancy: A single network interface setup lacks redundancy. If the interface or its associated hardware fails, it can lead to a complete network outage in the cluster. Failover Capabilities: Implementing failover mechanisms is more difficult without multiple interfaces, making the network less resilient.

6. Traffic Management Difficulty in Traffic Shaping and QoS: Managing traffic shaping, quality of service (QoS), and prioritizing critical traffic can be difficult with a single interface handling all types of traffic. Ingress/Egress Traffic: Balancing ingress and egress traffic on the same interface can lead to inefficiencies and potential collisions.

7. Monitoring and Troubleshooting Limited Monitoring Capabilities: Monitoring network traffic and diagnosing issues can be more challenging with a single interface, as it may be harder to distinguish between different types of traffic. Troubleshooting: Identifying the root cause of network issues can be more complex without segregated traffic paths. Solutions and Best Practices Multiple Network Interfaces: Use multiple network interfaces to separate different types of traffic, such as management, storage, and application traffic. Network Plugins: Utilize advanced network plugins (e.g., Calico, Cilium) that offer better network policy enforcement and isolation. Network Segmentation: Implement network segmentation to isolate traffic and enhance security. Load Balancers: Use external load balancers to distribute traffic effectively and provide redundancy. Monitoring Tools: Employ robust monitoring and observability tools to gain better insights into network performance and issues.

By addressing these challenges through thoughtful network design and best practices, Kubernetes clusters can achieve better performance, security, and scalability.

Task 1 - Overview of Ingress in Kubernetes

cFOS overview

Container FortiOS, the operating system that powers Fortinet’s security appliance as a container, can be integrated with Kubernetes to enhance the security of inbound traffic to your containers. This integration helps ensure that only legitimate and authorized traffic reaches your Kubernetes services while providing robust security features such as intrusion prevention, application control, and advanced threat protection.

Deploying FortiOS as a containerized solution within a Kubernetes environment offers several advantages that enhance security, flexibility, and manageability. Here are some of the key benefits:

1. Enhanced Security Advanced Threat Protection: FortiOS containers provide comprehensive security features, including firewall, intrusion prevention system (IPS), antivirus, and web filtering, offering robust protection against a wide range of threats. SSL/TLS Inspection: Containerized FortiOS can perform SSL/TLS termination and inspection, decrypting traffic to detect hidden threats while offloading this resource-intensive task from application services. Granular Policy Control: Allows the implementation of detailed security policies at the container level, ensuring that only legitimate traffic reaches your Kubernetes services.

2. Scalability and Flexibility Scalable Security: FortiOS containers can scale with your Kubernetes environment, ensuring that security capabilities grow with your application demands. This is particularly useful for dynamic, microservices-based architectures. Deployment Flexibility: Containerized FortiOS can be deployed in any Kubernetes environment, whether on-premises or in the cloud, providing consistent security across different infrastructures.

3. Integration with Kubernetes Ecosystem Native Kubernetes Integration: FortiOS containers integrate seamlessly with Kubernetes, leveraging Kubernetes features like services, deployments, and ingress controllers to provide security at various layers. Automation and Orchestration: Security policies and configurations can be managed and automated using Kubernetes-native tools and CI/CD pipelines, ensuring that security is integrated into the DevOps workflow.

4. Operational Efficiency Centralized Management: Using FortiManager and FortiAnalyzer, administrators can centrally manage multiple FortiOS containers, simplifying configuration, monitoring, and reporting across large deployments. Consistency and Standardization: Containerized deployments ensure consistent security policies and practices across different environments, reducing the risk of misconfigurations and security gaps.

5. Cost-Effectiveness Optimized Resource Utilization: Containerized FortiOS can share resources with other containers in the Kubernetes environment, optimizing resource usage and potentially reducing infrastructure costs. Elastic Scaling: The ability to scale security resources up or down based on demand helps manage costs more effectively, ensuring you pay only for the resources you need.

6. Improved Performance Low Latency Security: By placing FortiOS containers close to the applications they protect within the same Kubernetes cluster, you can achieve lower latency for security processing compared to external or centralized security appliances. Distributed Security: Security processing can be distributed across multiple nodes, enhancing performance and resilience compared to traditional, centralized security architectures.

Task 2 - Configuring and Securing Ingress

Purpose

In this chapter, we will use cFOS to provide ingress protection for a target application(goweb). The target application is a web server that allows users to upload files. Without cFOS protection, users can upload malicious files. However, with cFOS, uploaded files are scanned, and malicious files are blocked.

We use a load balancer with a public IP to handle ingress traffic from the internet to the target application. We can also use an internal IP or even the cFOS cluster IP to secure traffic from within the Kubernetes cluster or other pods to the target application. Without cFOS, incoming traffic goes directly to the backend application. With cFOS in the middle, the load balancer directs the traffic to cFOS first. cFOS then uses a Firewall VIP to redirect the traffic to the backend application, performing deep inspection along the way.

Unprotected Application (NO cFOS protection)

Let’s create an application and exposed by loadBalancer directly.

#!/bin/bash -x
cd $HOME
gowebimage="public.ecr.aws/t8s9q7q9/andy2024public:fileuploadserverx86v1.1"
#gowebimage="interbeing/myfmg:fileuploadserverx86"
kubectl create namespace mytest
kubectl create deployment goweb --image=$gowebimage  --namespace mytest
kubectl expose  deployment goweb --target-port=80  --port=80  --namespace mytest
svcname=$(kubectl config view -o json | jq .clusters[0].cluster.server | cut -d "." -f 1 | cut -d "/" -f 3)
metallbip=$(kubectl get ipaddresspool -n metallb-system -o jsonpath='{.items[*].spec.addresses[0]}' 2>/dev/null | cut -d '/' -f 1)
if [ -n "$metallbip" ]; then
   metallbannotation="metallb.universe.tf/loadBalancerIPs: $metallbip"
fi

echo use pool ipaddress $metallbip for svc 

cat << EOF | tee > gowebsvc.yaml 
apiVersion: v1
kind: Service
metadata:
  name: gowebsvc
  annotations:
    $metallbannotation
    service.beta.kubernetes.io/azure-dns-label-name: $svcname
spec:
  sessionAffinity: ClientIP
  ports:
  - port: 8888
    name: goweb-1
    targetPort: 80
    protocol: TCP
  selector:
    app: goweb
  type: LoadBalancer

EOF
kubectl apply -f gowebsvc.yaml --namespace mytest

NAME       TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)          AGE
goweb      ClusterIP      10.99.120.6   <none>        80/TCP           2m31s
gowebsvc   LoadBalancer   10.108.22.4   10.0.0.4      8888:31981/TCP   2m30s

wget -c https://secure.eicar.org/eicar_com.zip
cp eicar_com.zip $scriptDir/k8s-201-workshop/scripts/cfos/ingress_demo/

curl -v -F "file=@$scriptDir/k8s-201-workshop/scripts/cfos/ingress_demo/eicar_com.zip" http://$svcname.$location.cloudapp.azure.com:8888/upload

* Host k8strainingmaster-k8s51-1.eastus.cloudapp.azure.com:8888 was resolved.
* IPv6: (none)
* IPv4: 52.224.164.53
*   Trying 52.224.164.53:8888...
* Connected to k8strainingmaster-k8s51-1.eastus.cloudapp.azure.com (52.224.164.53) port 8888
> POST /upload HTTP/1.1
> Host: k8strainingmaster-k8s51-1.eastus.cloudapp.azure.com:8888
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Length: 401
> Content-Type: multipart/form-data; boundary=------------------------OBqcPObBBZvOi9WnnBwJlX
> 
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Date: Tue, 02 Jul 2024 06:27:26 GMT
< Content-Length: 0
< 
* Connection #0 to host k8strainingmaster-k8s51-1.eastus.cloudapp.azure.com left intact

kubectl delete namespace mytest

Application protected by cFOS

traffic diagram after use cFOS in the middle

With cFOS in the middle, it functions as a reverse proxy. Instead of exposing the application to the internet, we expose cFOS to the internet. cFOS then redirects or proxies traffic to the backend application, ensuring that the traffic passes cFOS security policy checks. cFOS is able to inspect traffic even it’s encrypted with SSL.

cfosnamespace="cfosingress"
kubectl create namespace $cfosnamespace

cd $HOME
kubectl apply -f cfosimagepullsecret.yaml  -n $cfosnamespace
kubectl apply -f cfos_license.yaml  -n $cfosnamespace

kubectl create -f $scriptDir/k8s-201-workshop/scripts/cfos/ingress_demo/01_create_cfos_account.yaml -n $cfosnamespace

clusterrole.rbac.authorization.k8s.io/configmap-reader configured
rolebinding.rbac.authorization.k8s.io/read-configmaps configured
clusterrole.rbac.authorization.k8s.io/secrets-reader configured
rolebinding.rbac.authorization.k8s.io/read-secrets configured

k8sdnsip=$(k get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
cat << EOF | tee > cfos7210250-deployment.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cfos7210250-deployment
  labels:
    app: cfos
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cfos
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/cfos7210250-container: unconfined
      labels:
        app: cfos
    spec:
      initContainers:
      - name: init-myservice
        image: busybox
        command:
        - sh
        - -c
        - |
          echo "nameserver $k8sdnsip" > /mnt/resolv.conf
          echo "search default.svc.cluster.local svc.cluster.local cluster.local" >> /mnt/resolv.conf;
        volumeMounts:
        - name: resolv-conf
          mountPath: /mnt
      serviceAccountName: cfos-serviceaccount
      containers:
      - name: cfos7210250-container
        image: $cfosimage
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN","SYS_ADMIN","NET_RAW"]
        ports:
        - containerPort: 443
        volumeMounts:
        - mountPath: /data
          name: data-volume
        - mountPath: /etc/resolv.conf
          name: resolv-conf
          subPath: resolv.conf
      volumes:
      - name: data-volume
        emptyDir: {}
      - name: resolv-conf
        emptyDir: {}
      dnsPolicy: ClusterFirst
EOF
kubectl apply -f cfos7210250-deployment.yaml -n $cfosnamespace

kubectl get pod -n $cfosnamespace

NAME                                    READY   STATUS    RESTARTS   AGE
cfos7210250-deployment-8b6d4b8b-ljjf5   1/1     Running   0          3m13s

Create backend application and service

Let’s create a file upload server application and an Nginx application, and expose them with ClusterIP services. The goweb and Nginx applications can be in any namespace; here, we will use the default namespace.

gowebimage="public.ecr.aws/t8s9q7q9/andy2024public:fileuploadserverx86v1.1"
kubectl create deployment goweb --image=$gowebimage
kubectl expose  deployment goweb --target-port=80  --port=80 
kubectl create deployment nginx --image=nginx 
kubectl expose deployment nginx --target-port=80 --port=80 

kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
goweb        ClusterIP   10.96.131.201   <none>        80/TCP    13m
nginx        ClusterIP   10.96.200.35    <none>        80/TCP    13m

kubectl get ep
NAME         ENDPOINTS           AGE
goweb        10.224.0.13:80      15m
kubernetes   20.121.91.175:443   153m
nginx        10.224.0.28:80      15m