diff --git a/slides/exercises/netpol-brief.md b/slides/exercises/netpol-brief.md new file mode 100644 index 00000000..89f62120 --- /dev/null +++ b/slides/exercises/netpol-brief.md @@ -0,0 +1,7 @@ +## Exercise — Network Policies + +- Implement a system with 3 levels of security + + (private pods, public pods, namespace pods) + +- Apply it to the DockerCoins demo app diff --git a/slides/exercises/netpol-details.md b/slides/exercises/netpol-details.md new file mode 100644 index 00000000..20db0429 --- /dev/null +++ b/slides/exercises/netpol-details.md @@ -0,0 +1,63 @@ +# Exercise — Network Policies + +We want to to implement a generic network security mechanism. + +Instead of creating one policy per service, we want to +create a fixed number of policies, and use a single label +to indicate the security level of our pods. + +Then, when adding a new service to the stack, instead +of writing a new network policy for that service, we +only need to add the right label to the pods of that service. + +--- + +## Specifications + +We will use the label `security` to classify our pods. + +- If `security=private`: + + *the pod shouldn't accept any traffic* + +- If `security=public`: + + *the pod should accept all traffic* + +- If `security=namespace`: + + *the pod should only accept connections coming from the same namespace* + +If `security` isn't set, assume it's `private`. + +--- + +## Test setup + +- Deploy a copy of the DockerCoins app in a new namespace + +- Modify the pod templates so that: + + - `webui` has `security=public` + + - `worker` has `security=private` + + - `hasher`, `redis`, `rng` have `security=namespace` + +--- + +## Implement and test policies + +- Write the network policies + + (feel free to draw inspiration from the ones we've seen so far) + +- Check that: + + - you can connect to the `webui` from outside the cluster + + - the application works correctly (shows 3-4 hashes/second) + + - you cannot connect to the `hasher`, `redis`, `rng` services + + - you cannot connect or even ping the `worker` pods diff --git a/slides/exercises/rbac-brief.md b/slides/exercises/rbac-brief.md new file mode 100644 index 00000000..fe319a46 --- /dev/null +++ b/slides/exercises/rbac-brief.md @@ -0,0 +1,9 @@ +## Exercise — RBAC + +- Create two namespaces for users `alice` and `bob` + +- Give each user full access to their own namespace + +- Give each user read-only access to the other's namespace + +- Let `alice` view the nodes of the cluster as well diff --git a/slides/exercises/rbac-details.md b/slides/exercises/rbac-details.md new file mode 100644 index 00000000..5809d1e3 --- /dev/null +++ b/slides/exercises/rbac-details.md @@ -0,0 +1,97 @@ +# Exercise — RBAC + +We want to: + +- Create two namespaces for users `alice` and `bob` + +- Give each user full access to their own namespace + +- Give each user read-only access to the other's namespace + +- Let `alice` view the nodes of the cluster as well + +--- + +## Initial setup + +- Create two namespaces named `alice` and `bob` + +- Check that if we impersonate Alice, we can't access her namespace yet: + ```bash + kubectl --as alice get pods --namespace alice + ``` + +--- + +## Access for Alice + +- Grant Alice full access to her own namespace + + (you can use a pre-existing Cluster Role) + +- Check that Alice can create stuff in her namespace: + ```bash + kubectl --as alice create deployment hello --image nginx --namespace alice + ``` + +- But that she can't create stuff in Bob's namespace: + ```bash + kubectl --as alice create deployment hello --image nginx --namespace bob + ``` + +--- + +## Access for Bob + +- Similarly, grant Bob full access to his own namespace + +- Check that Bob can create stuff in his namespace: + ```bash + kubectl --as bob create deployment hello --image nginx --namespace bob + ``` + +- But that he can't create stuff in Alice's namespace: + ```bash + kubectl --as bob create deployment hello --image nginx --namespace alice + ``` + +--- + +## Read-only access + +- Now, give Alice read-only access to Bob's namespace + +- Check that Alice can view Bob's stuff: + ```bash + kubectl --as alice get pods --namespace bob + ``` + +- But that she can't touch this: + ```bash + kubectl --as alice delete pods --namespace bob --all + ``` + +- Likewise, give Bob read-only access to Alice's namespace + +--- + +## Nodes + +- Give Alice read-only access to the cluster nodes + + (this will require creating a custom Cluster Role) + +- Check that Alice can view the nodes: + ```bash + kubectl --as alice get nodes + ``` + +- But that Bob cannot: + ```bash + kubectl --as bob get nodes + ``` + +- And that Alice can't update nodes: + ```bash + kubectl --as alice label nodes --all hello=world + ```