mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-02-14 09:39:56 +00:00
➕ Add RBAC and NetPol exercises
This commit is contained in:
Jérôme Petazzoni
7
slides/exercises/netpol-brief.md
Normal file
7
slides/exercises/netpol-brief.md
Normal file
@@ -0,0 +1,7 @@
|
||||
## Exercise — Network Policies
|
||||
|
||||
- Implement a system with 3 levels of security
|
||||
|
||||
(private pods, public pods, namespace pods)
|
||||
|
||||
- Apply it to the DockerCoins demo app
|
||||
63
slides/exercises/netpol-details.md
Normal file
63
slides/exercises/netpol-details.md
Normal file
@@ -0,0 +1,63 @@
|
||||
# Exercise — Network Policies
|
||||
|
||||
We want to to implement a generic network security mechanism.
|
||||
|
||||
Instead of creating one policy per service, we want to
|
||||
create a fixed number of policies, and use a single label
|
||||
to indicate the security level of our pods.
|
||||
|
||||
Then, when adding a new service to the stack, instead
|
||||
of writing a new network policy for that service, we
|
||||
only need to add the right label to the pods of that service.
|
||||
|
||||
---
|
||||
|
||||
## Specifications
|
||||
|
||||
We will use the label `security` to classify our pods.
|
||||
|
||||
- If `security=private`:
|
||||
|
||||
*the pod shouldn't accept any traffic*
|
||||
|
||||
- If `security=public`:
|
||||
|
||||
*the pod should accept all traffic*
|
||||
|
||||
- If `security=namespace`:
|
||||
|
||||
*the pod should only accept connections coming from the same namespace*
|
||||
|
||||
If `security` isn't set, assume it's `private`.
|
||||
|
||||
---
|
||||
|
||||
## Test setup
|
||||
|
||||
- Deploy a copy of the DockerCoins app in a new namespace
|
||||
|
||||
- Modify the pod templates so that:
|
||||
|
||||
- `webui` has `security=public`
|
||||
|
||||
- `worker` has `security=private`
|
||||
|
||||
- `hasher`, `redis`, `rng` have `security=namespace`
|
||||
|
||||
---
|
||||
|
||||
## Implement and test policies
|
||||
|
||||
- Write the network policies
|
||||
|
||||
(feel free to draw inspiration from the ones we've seen so far)
|
||||
|
||||
- Check that:
|
||||
|
||||
- you can connect to the `webui` from outside the cluster
|
||||
|
||||
- the application works correctly (shows 3-4 hashes/second)
|
||||
|
||||
- you cannot connect to the `hasher`, `redis`, `rng` services
|
||||
|
||||
- you cannot connect or even ping the `worker` pods
|
||||
9
slides/exercises/rbac-brief.md
Normal file
9
slides/exercises/rbac-brief.md
Normal file
@@ -0,0 +1,9 @@
|
||||
## Exercise — RBAC
|
||||
|
||||
- Create two namespaces for users `alice` and `bob`
|
||||
|
||||
- Give each user full access to their own namespace
|
||||
|
||||
- Give each user read-only access to the other's namespace
|
||||
|
||||
- Let `alice` view the nodes of the cluster as well
|
||||
97
slides/exercises/rbac-details.md
Normal file
97
slides/exercises/rbac-details.md
Normal file
@@ -0,0 +1,97 @@
|
||||
# Exercise — RBAC
|
||||
|
||||
We want to:
|
||||
|
||||
- Create two namespaces for users `alice` and `bob`
|
||||
|
||||
- Give each user full access to their own namespace
|
||||
|
||||
- Give each user read-only access to the other's namespace
|
||||
|
||||
- Let `alice` view the nodes of the cluster as well
|
||||
|
||||
---
|
||||
|
||||
## Initial setup
|
||||
|
||||
- Create two namespaces named `alice` and `bob`
|
||||
|
||||
- Check that if we impersonate Alice, we can't access her namespace yet:
|
||||
```bash
|
||||
kubectl --as alice get pods --namespace alice
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Access for Alice
|
||||
|
||||
- Grant Alice full access to her own namespace
|
||||
|
||||
(you can use a pre-existing Cluster Role)
|
||||
|
||||
- Check that Alice can create stuff in her namespace:
|
||||
```bash
|
||||
kubectl --as alice create deployment hello --image nginx --namespace alice
|
||||
```
|
||||
|
||||
- But that she can't create stuff in Bob's namespace:
|
||||
```bash
|
||||
kubectl --as alice create deployment hello --image nginx --namespace bob
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Access for Bob
|
||||
|
||||
- Similarly, grant Bob full access to his own namespace
|
||||
|
||||
- Check that Bob can create stuff in his namespace:
|
||||
```bash
|
||||
kubectl --as bob create deployment hello --image nginx --namespace bob
|
||||
```
|
||||
|
||||
- But that he can't create stuff in Alice's namespace:
|
||||
```bash
|
||||
kubectl --as bob create deployment hello --image nginx --namespace alice
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Read-only access
|
||||
|
||||
- Now, give Alice read-only access to Bob's namespace
|
||||
|
||||
- Check that Alice can view Bob's stuff:
|
||||
```bash
|
||||
kubectl --as alice get pods --namespace bob
|
||||
```
|
||||
|
||||
- But that she can't touch this:
|
||||
```bash
|
||||
kubectl --as alice delete pods --namespace bob --all
|
||||
```
|
||||
|
||||
- Likewise, give Bob read-only access to Alice's namespace
|
||||
|
||||
---
|
||||
|
||||
## Nodes
|
||||
|
||||
- Give Alice read-only access to the cluster nodes
|
||||
|
||||
(this will require creating a custom Cluster Role)
|
||||
|
||||
- Check that Alice can view the nodes:
|
||||
```bash
|
||||
kubectl --as alice get nodes
|
||||
```
|
||||
|
||||
- But that Bob cannot:
|
||||
```bash
|
||||
kubectl --as bob get nodes
|
||||
```
|
||||
|
||||
- And that Alice can't update nodes:
|
||||
```bash
|
||||
kubectl --as alice label nodes --all hello=world
|
||||
```
|
||||
Reference in New Issue
Block a user