Skip to content

Commit

Permalink
Fixes after 20240508
Browse files Browse the repository at this point in the history
  • Loading branch information
@nicholasdille
nicholasdille committed May 10, 2024
1 parent aea8d4c commit 10c6b66
Show file tree
Hide file tree
Showing 9 changed files with 30 additions and 6 deletions.
4 changes: 3 additions & 1 deletion 120_kubernetes/kyverno/monitoring.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
## Monitoring

https://kyverno.io/docs/monitoring/
https://kyverno.io/docs/monitoring/

https://github.com/kyverno/policy-reporter
2 changes: 1 addition & 1 deletion 120_kubernetes/kyverno/validation_automountServiceAccountToken.demo
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ spec:
operator: Equals
value: "default"
validate:
message: "FOO"
message: "Die, pod, die"
pattern:
spec:
automountServiceAccountToken: false
Expand Down
2 changes: 1 addition & 1 deletion 120_kubernetes/kyverno/validation_automountServiceAccountToken.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Pods should not mount service account by default

### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/kyverno/validation_automountServiceAccountToken.demo "validation_automountServiceAccountToken.demo")

Deny pods...l
Deny pods...
- without `automountServiceAccountToken`
- when `serviceAccountName` is...
- not specified or
Expand Down
2 changes: 1 addition & 1 deletion 120_kubernetes/rbac/aggregation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ rules:
Heavily used in builtin ClusterRoles [](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
- `rbac.authorization.k8s.io/aggregate-to-(admin|editview)`
- `rbac.authorization.k8s.io/aggregate-to-(admin|edit|view)`

---

Expand Down
19 changes: 19 additions & 0 deletions 120_kubernetes/rbac/kubeconfig-my-cluster
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJTXhiUWdNK1k2djh3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBMU1EZ3hPVEExTkRCYUZ3MHpOREExTURZeE9URXdOREJhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURhTGxhSmIyNU5hS2NoNHQ4T3FyY1dsMGtwQ0luV2o1dHllTFNsZDR2SWlPWUZjeHowTjdmQ1JFZ2YKa2ZxcXlaYzVqUVJYUWZCRklwM0d1R3R5dXBWeXg0TVhPYWYyK0dWT2NucDRCQnY4WnIwdmFTUUZ0K3Qzd3d2cgp3TEhWQUkxNHhleGJHK2hhQk5vOVRPNXRYUmJpaTZqWFZybDZnVmE4QmtNWE1ReXlscjBMUS9aU050V2hEV2crCmg1OGhXUHZ1QnVaY3NBMzBYODBMY3pEN20yYWt6dUZHanhOeEdpWTZpbG8vMi90WmJUWnRuYjU3MWtqQUlUbzUKTmhrelZpTngxNlRIN0ZpR3hDMzJuK2RWNWlyQWYyVjhhRUNvOS9XV3puOGdabVgrbU82b0QweGEvT211WXFtSQpsUTFHMkh6eXl4Zk5tcHA4T1FsSXN4bDhGUTE5QWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUTWdnTTVmK0tmT0tPbXFTd3BVTDNOU09qcXRUQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRE54UHpTT1I2RApyb2pIRXBpb01GWEVTR0lJNWpLRnVRK29paysxZElWTEdLT0IyOUhCMVJJclVjd3VuWlpPbitUS21NcWVEUUg2Cjc4OUJ1Sis2WHowd2lNaHRGRnJ3aCt6Q21JV0pvS3dBZEtxaGtuTkQxVjdtdmRWZUhMNVpPZWR6NW94WjF1TEYKd0dnQ2JtT0I0Q2Rtc3NQbzZHYThqVTlhRklaU2owd1JNQVdlTUpvTjJvZGlyS2Vpa2FkQnRCMlVkT1RqZzF6WApBQU5kY1JEWjdsaW84a0NGS2FhRFZxa3l3RGVsTnB4UlpmNVcwUy9uYlpFaDZQNXJhM0xEZGVHOEwrMGZYWlE1CnhzQmg4SnZFaW13dmhMWXlqVXFUeEVDamJORHBPbEtRbUhDUTF1aGxuRUV1SzVHekhKYWFzZ3J6MjB2cllrYTIKd0dnZXRraFpKdEFTCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://127.0.0.1:43641
name: kind-kind
contexts:
- context:
cluster: kind-kind
user: kind-kind
name: kind-kind
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: kind-kind
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lJTmFtU2E5UTJrcGt3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBMU1EZ3hPVEExTkRCYUZ3MHlOVEExTURneE9URXdOREZhTUR3eApIekFkQmdOVkJBb1RGbXQxWW1WaFpHMDZZMngxYzNSbGNpMWhaRzFwYm5NeEdUQVhCZ05WQkFNVEVHdDFZbVZ5CmJtVjBaWE10WVdSdGFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUWlSUVIKcWJhLytJZnJkUGtHS0ZQMzc2Vlg3VW8rZkJReWNuc2hZUjdzeVhiT1hUS2JjQUtKZGc0VWNLYUdoUTBEaEp3NQpLTmZ4ditnYWI3QlRFTGVxbkFZMGtrdWY0UDhORitCUFAvNWNtMVRRMEJoZW0rZGNGeTBVWmk0bDIyRDEyMUtzClk3czU5dy9zcVI0UVp5TkNHTElUZ1lqTDd0ZmdOMFQzeElsNktPbWhLR0dxK3NLV3FqZ09BVFFxOEtjVktIRncKRnJpaExLZFYvYlBtSlU5SjRwZXRvcHcwUTNiVW5pSXpvd1hoVmJYbldleFRHeCt3bHRxcUt2Y3hFQ04rNUpPKwpDa28vMGg3SUNlVU9uUjloR29Zc29xRklRYk9BU2VpdlY5cDErMXJNdm1kTGlhcUZBdnNqL2VnNVBtYVRzQWc0CnltbWNORmNxemNRUkxKaG5BZ01CQUFHalZqQlVNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUsKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRk15Q0F6bC80cDg0bzZhcApMQ2xRdmMxSTZPcTFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUMySmxyT2p4ZXF1QjE2NzhNaXlqZE5LMDJ5Cjg3NUhUcUhxYnFLL1FNRFgxdG5DU0hkQzlVb3R6d3k1S3BVWGRLTHBQR0EwWm9IS2xTMFoydXlVU0o2TVMwbU4KejVtOXhySVI5elhoVWRnTlprMml5Sng0UWswYmNSeExJVjVhWitmTnRiaHl0R2Q5V2M3VWJHcGxCWWdXczFoUgpmMGh2TUtheVJKSmJabjk4aTFjQWVNOEo0d3NDZ3JraVBrVHo4OHg5NWh0c0FPYUcydjI5V2NoZVMxdzdOMHdEClpkVmx3dnYvM2JIWnJockpjT3dISThUNk9zdW15aGVBWjJ4R3lFaUsyYUVnY1dIc3VCUWU4MUl3bnQvcjRPbjkKK0RPa3dCcVQwa3BqVWpRaHFwZ0h4YjhNZ2x4NXZzY2p0Vm5jQkN5WDRPR0d5NUloWU9aM00rV1ZaU1FDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBMElrVUVhbTJ2L2lINjNUNUJpaFQ5KytsVisxS1Bud1VNbko3SVdFZTdNbDJ6bDB5Cm0zQUNpWFlPRkhDbWhvVU5BNFNjT1NqWDhiL29HbSt3VXhDM3Fwd0dOSkpMbitEL0RSZmdUei8rWEp0VTBOQVkKWHB2blhCY3RGR1l1SmR0ZzlkdFNyR083T2ZjUDdLa2VFR2NqUWhpeUU0R0l5KzdYNERkRTk4U0plaWpwb1NoaApxdnJDbHFvNERnRTBLdkNuRlNoeGNCYTRvU3luVmYyejVpVlBTZUtYcmFLY05FTjIxSjRpTTZNRjRWVzE1MW5zClV4c2ZzSmJhcWlyM01SQWpmdVNUdmdwS1A5SWV5QW5sRHAwZllScUdMS0toU0VHemdFbm9yMWZhZGZ0YXpMNW4KUzRtcWhRTDdJLzNvT1Q1bWs3QUlPTXBwbkRSWEtzM0VFU3lZWndJREFRQUJBb0lCQUF6QTFXRmZKN1lGMVFvcApWVEZ6TmU5cjBJallFanBRREV3cGhDNCthazNBNUdzcWQvWFptODRjVWpBZDA1RldnYjA5VnZDSDl1enA5NS9tClJMcFB3MnZEcnYxNEZQZnFJcThDVHMySjlGeGxnNEpodDV2Um5ReWN2ajBKSXJsZCtVZ1A2Ylp4UXZvQWloREgKSnZlSjF6WXJuSGhrNjZETk1wYWJ5clA4YVF2M2FDcDdMaUkzMzNiczJHMHZqbEJyc2E4QmxQcVlibHQ5N2VtOQpMOWVlV3E4TVpDOFhFYWk1Qjd6SHhqN1VNZ1JXaWJPc2VBS1l3VmJ6RmNQb1VXVHRIdE42L0RyNEZwQ2ZXaS9tCkpEZFp4T1hpRTlNTHE2dWRjZnZIRlFuN05yTjhRY3JwWG1acURrVGc1dEgxTk5TUTVpODBBZGZjYW10RFhlQW8KK1V0Z21FRUNnWUVBME5JZDJXaGdISDRGZElBb3VFZkJ6aDl0WDJmT3RCVTB1dzJjYUlhUThBZGJBTHhkc3h1RQp5UFIxRzJoNE1xMWhZb3lXYTlNeE5OVHdPbkg1Vzg5R3p0dXhNSHNtNG1xRTlzZ0x1d1NQN2Q4amcwdlowY2JCCkR5S2IrM3E4SDc2c3pLRHpQZnRlU0Ztd2VxMmpsTFRKYnZyZHJEdFUzb1hzLzJTbkJyTE9jQVVDZ1lFQS82WjEKekdMc1REMnJjckNYNEkwMTNlV3VqV3dXWkZ3c2RzZHFaQnEyZGVpb0ZmUWdsVTgvYXBEOVptK0wyMWd5eWtWcgpZT0R6WCtRT0RhSVdzbzFRZ0FoQ09YM2l5L0NFS1pTcW5LaVZXbWg3UHRpa0dpZC94Z01yRUdVaWxYOXIydDd4CjZYUnJkN0xJei80RURHRFZYY2s1Z3BQTVE1SVRxVTRsSFNlU2puc0NnWUErQ1k1UW5vK2ZKMWxiaVErUDM5R1YKK1FRM1NkSEE4bVBlQm1jbkxvTTByQnEvRnpjSEZPL1grN2dtMGx5VFFhc2k2ZjF1UHlucE5qSEFTMGYzbkphKwpzY25zUzBuOERnVStnNlBvaGF4MDBNdnVIOFN3YThuRFExYnYyVUMyZGFGRWtiUngvNUc5RU5nN09nYlZFUGllCi9leUpWSDhjTk5GNTlsOGd3RkpRT1FLQmdRQzNGeWhXY0tKN0Y4K3FHLzhwdXZoUkt5V1A4MUUySHkxWkJBaVcKR091RUZsUUxKUVFRNnVpb0VaN3B0Z21iMWRiS05sMW96TEtBZ252dUY1L1owSXRPcHB1SFFUa2toZVNoUXUvTgpzbzhFYUwrYml0dzhQdjJyZXFsazNJbWdOOW11cnV6aUhaYTU2emtXZlAyNVA4Q1Bvb1dsbHVRN29HcWtYbXNHCkxra3Y4UUtCZ0ZOYVBNcjlLb0FFN01idEZSY3I5Q3lhaFc5U2tjZWI5NzNvZDljeSs5Y3FzSmJIOHlubmQzSGoKdGFOQjFGTmQ3cGZDckMrMmxrLzRaQ3NFeTJ4RHRCaHFXMFQ1UGw3dW1BZytMZ3VIRlI0K0VXL0tiRVZhMmlWbAptNVk1VmdPVmswR24rZ0IvQldEYzNhTXdITUs1bllBYVZINlVoV0piTlRsNUdVK21EaTVWCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
2 changes: 1 addition & 1 deletion 120_kubernetes/rbac/rbac.demo
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ rules:
verbs:
- "get"
- "watch"
- "list"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Expand Down
2 changes: 1 addition & 1 deletion 120_kubernetes/rbac/risks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Pods obtain permissions of service accounts ...even without `pods/exec`

### Namespace modification

Verb `patch` on namespace allows chaning labels [](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#namespace-modification)...
Verb `patch` on namespace allows changing labels [](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#namespace-modification)...

...and disabling of pod security admission as well as network policies

Expand Down
1 change: 1 addition & 0 deletions 120_kubernetes/rbac/service_account.demo
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ metadata:
name: foo-automount
spec:
serviceAccountName: foo
automountServiceAccountToken: true
containers:
- name: nginx
image: nginx:stable
Expand Down
2 changes: 2 additions & 0 deletions 120_kubernetes/rbac/service_account.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,8 @@ Mount service account to a pod and check:
kubectl get pod bar -o=jsonpath='{.spec.imagePullSecrets[0].name}{"\n"}'
```

Works regardless of `automountServiceAccountToken`

### Demo [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/service_account.demo "service_account.demo")

---
Expand Down

0 comments on commit 10c6b66

Please sign in to comment.