-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #370 from ericsmalling/main
Fixes and instructions for Todolist + log4shell on K8s
- Loading branch information
Showing
14 changed files
with
169 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Kubernetes based Todolist + Log4Shell exploit | ||
To deploy Todolist on Kubernetes along with the needed ldap backend for exploiting the Log4shell | ||
vulnerability: | ||
|
||
## Prerequisites | ||
1. A kubernetes cluster where you have permissions to create namespaces, deployments and services | ||
2. The `kubectl` client and credenials configuration | ||
3. Docker Desktop or docker-ce (for building and pushing images) | ||
4. A DockerHub account that you are logged in with at the command prompt (via `docker login`) | ||
|
||
## Quickstart | ||
Assuming you have your kubernetes cluster up and ready, from the top level of this repo you can run `./k8s-quickstart.sh` which will do the following: | ||
1. Builds todolist-goof image and pushes it to Docker Hub. _(see below for account/tagging info)_ | ||
2. Deploys the todolist to the `default` namespace in your kubernetes cluster along with a LoadBalancer type service | ||
3. Builds the log4shell-server image and pushes to Docker Hub. _(see below for account/tagging info)_ | ||
4. Deploys the log4shell-server and a pair of ClusterIP type services into a new namespace named `darkweb` in your Kubernetes cluster. | ||
|
||
NOTE: You will be prompted for your DockerHub account in order for the scripts to tag, push and pull the images. | ||
If you set and environmental variable named `DOCKER_ACCOUNT` to that account name, the script will pre-populate that prompt with it. | ||
```bash | ||
export DOCKER_ACCOUNT="yourdockeraccount" | ||
``` | ||
## Accessing the application | ||
Once complete, run `kubectl get svc` and note the IP Address or hostname of the `goof` service. | ||
|
||
You should be able to open a browser to http://{svc-ip-addr}/todolist and see the app | ||
|
||
#### EKS cluster notes | ||
* In order to perform NetworkPolicy egress examples, you will need to deploy the Calico CNI plugin as EKS does not implement NetworkPolicy by default. | ||
The `eks-calico.sh` script in `todolist-goof/k8s` will deploy this for you. (that script is sym-linked to the top level here too) | ||
* You should log into the AWS console and change inbound access for the good service's ELB to only allow your home IP, otherwise you *will* have audience members trying to mess with it. | ||
|
||
#### Docker Desktop Kubernetes notes | ||
* Docker Desktop automatically serves the goof service loadblancer external IP to your workstation's localhost so the app will be available at http://localhost/todolist | ||
* Docker Desktop Kubernetes CNI does not implement Network Policy so you will not be able to demonstrate any mitigation techniques that use that. | ||
|
||
#### Kind (Kubernetes on Docker) notes | ||
* Kind's default CNI does not currently support Network Policy so you should deploy your own using the instructions on their website. | ||
* If running Kind on top of Docker Desktop, you will need to run a port-forward to access the app. For example, use something like this: `kubectl port-forward service/goof 8000:80` and then access it via browser at http://localhost:8000/todolist | ||
|
||
## Quick cleanup | ||
Run the `/.k8s-quickstop.sh` script at the top level of this repo which will do the following: | ||
1. Deletes the todolist deployment and associated service in the `default` namespace | ||
2. Deletes the log4shell deployment and associated services in the `darkweb` namespace and deltes the namespace as well | ||
**Note:** This will not delete any additional objects you may have deployed such as NetworkPolicies. | ||
|
||
It is up to you to shut down your Kubernetes cluster as appropriate. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
todolist-goof/k8s/eks-calico.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/usr/bin/env bash | ||
TOP_LEVEL_MYDIR=$(dirname $0) | ||
if [[ "$1" == "" ]]; then | ||
read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input | ||
name="${input:-$DOCKER_ACCOUNT}" | ||
else | ||
DOCKER_ACCOUNT=$1 | ||
fi | ||
$TOP_LEVEL_MYDIR/todolist-goof/k8s/quickstart.sh $DOCKER_ACCOUNT | ||
$TOP_LEVEL_MYDIR/log4shell-goof/log4shell-server/k8s/quickstart.sh $DOCKER_ACCOUNT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/usr/bin/env bash | ||
TOP_LEVEL_MYDIR=$(dirname $0) | ||
$TOP_LEVEL_MYDIR/todolist-goof/k8s/shutdown.sh | ||
$TOP_LEVEL_MYDIR/log4shell-goof/log4shell-server/k8s/shutdown.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/usr/bin/env bash | ||
LOG4SHELL_MYDIR=$(dirname $0) | ||
if [[ "$1" == "" ]]; then | ||
read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input | ||
name="${input:-$DOCKER_ACCOUNT}" | ||
else | ||
DOCKER_ACCOUNT=$1 | ||
fi | ||
|
||
$LOG4SHELL_MYDIR/imagebuild.sh $DOCKER_ACCOUNT | ||
$LOG4SHELL_MYDIR/startup.sh $DOCKER_ACCOUNT | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-operator.yaml | ||
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-crs.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,14 @@ | ||
#!/usr/bin/env bash | ||
read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input | ||
name="${input:-$DOCKER_ACCOUNT}" | ||
MYDIR=$(dirname $0) | ||
if [[ "$1" == "" ]]; then | ||
read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input | ||
name="${input:-$DOCKER_ACCOUNT}" | ||
else | ||
DOCKER_ACCOUNT=$1 | ||
fi | ||
|
||
echo "📦 Building image ${DOCKER_ACCOUNT}/java-goof:latest ..." | ||
docker build -t ${DOCKER_ACCOUNT}/java-goof:latest . | ||
docker build -t ${DOCKER_ACCOUNT}/java-goof:latest $MYDIR/.. | ||
echo | ||
echo "🚚 Pushing image to DockerHub..." | ||
docker push ${DOCKER_ACCOUNT}/java-goof:latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: goof | ||
name: goof | ||
namespace: default | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: goof | ||
template: | ||
metadata: | ||
labels: | ||
app: goof | ||
spec: | ||
containers: | ||
- image: ${DOCKER_ACCOUNT}/java-goof:latest | ||
imagePullPolicy: Always | ||
name: java-goof | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 65534 #nobody | ||
runAsGroup: 65534 #nobody | ||
restartPolicy: Always | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
labels: | ||
app: goof | ||
name: goof | ||
spec: | ||
type: LoadBalancer | ||
ports: | ||
- port: 80 | ||
protocol: TCP | ||
targetPort: 8080 | ||
selector: | ||
app: goof |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/usr/bin/env bash | ||
TODO_MYDIR=$(dirname $0) | ||
if [[ "$1" == "" ]]; then | ||
read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input | ||
name="${input:-$DOCKER_ACCOUNT}" | ||
else | ||
DOCKER_ACCOUNT=$1 | ||
fi | ||
|
||
$TODO_MYDIR/imagebuild.sh $DOCKER_ACCOUNT | ||
$TODO_MYDIR/startup.sh $DOCKER_ACCOUNT | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters