Skip to content

Introduction

Welcome to our Kubernetes Security Workshop! This guide is designed to help you understand and practice security aspects in Kubernetes clusters effectively.

The main topics of this workshop are:

  • Admission Controllers
  • Security for the API Server, microservices and supply chains
  • System hardening
  • Network policies
  • Compliance and OPA (open policy agent)

Setup Tips

0. AKS

Run $ kubectl get nodes to test the connection.

1. Kubectl

Kubectl is the Kubernetes command-line tool that allows us to interact directly with the Kubernetes API.

For help about kubectl commands navigate to the Kubectl Reference Docs Page.

To install kubectl follow the instructions on the Official Kubernetes Docs Page.

2. Alias

Further you should make use of aliases, when you want to speed up writing kubectl commands.

For now, add the following alias in your terminal:

alias k=kubectl

You may add more aliases that you find useful along the way.

3. Autocompletion

It is recommended to install autocompletion for kubectl commands. It will facilitate the navigation in Kubernetes clusters.

To install autocompletion for kubectl follow the instructions on the Kubernetes Docs.

echo 'source /etc/bash_completion' >> ~/.bashrc
echo 'source <(kubectl completion bash)' >> ~/.bashrc
echo 'alias k=kubectl' >> ~/.bashrc
echo 'alias kx=kubectx' >> ~/.bashrc
echo 'complete -o default -F __start_kubectl k' >> ~/.bashrc

Tip

You need to start a new bash session to activate the new settings in your .bashrc. You can do this by just starting bash again or by clicking on the + icon at the terminal view in VS-Code. Or run source ~/.bashrc in the current terminal

4. Text Editor

vi, vim, emacs, notepad, …

Info

You can skip this section if you are using our VS-Code environment.

You probably have already got the text editor of your choice installed and ready to go. But how often have you really used it? Are you comfortable navigating and editing your files?

As we will be writing several deployment files as well as apply changes to Kubernetes objects with the text editor, you should take some time to refresh the most common commands.

If you haven’t been using the editor frequently, it might be handy to open up a cheatsheet by the side, when working on the Lab!

5. Add-ons

When starting to work with Kubernetes, it may be a good time to familiarize yourself with helpful tools. That way you can adapt tool-specific syntax from the start.

Mandatory:

k9s: A terminal based UI. It holds many features to easily navigate through Kubernetes clusters and display resources in a readable way.

curl -sL https://github.com/derailed/k9s/releases/download/v0.50.18/k9s_Linux_amd64.tar.gz | tar -zxvf - k9s
sudo mv k9s /usr/local/bin

jq: A tools for parsing JSON darta, like sed for text files

sudo apt install jq

kind: Running a kubernetes cluster in docker

curl -sLo ./kind https://kind.sigs.k8s.io/dl/v0.31.0/kind-linux-amd64
chmod +x kind
sudo mv kind /usr/local/bin

sops: Encryption provider

curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64
sudo mv sops-v3.11.0.linux.amd64 /usr/local/bin/sops
sudo chmod +x /usr/local/bin/sops

flux: GitOps provider

curl -LO  https://github.com/fluxcd/flux2/releases/download/v2.7.5/flux_2.7.5_linux_amd64.tar.gz
tar xvzf flux_2.7.5_linux_amd64.tar.gz
sudo mv flux /usr/local/bin/flux
sudo chmod +x /usr/local/bin/flux

age: Key tool

curl -LO  https://github.com/FiloSottile/age/releases/download/v1.3.1/age-v1.3.1-linux-amd64.tar.gz
tar xvzf age-v1.3.1-linux-amd64.tar.gz
sudo mv age/age /usr/local/bin/age
sudo chmod +x /usr/local/bin/age
sudo mv age/age-keygen /usr/local/bin/age-keygen
sudo chmod +x /usr/local/bin/age-keygen
rm -rf age # folder

go-task: Cmdline task tool

curl -LO  https://github.com/go-task/task/releases/download/v3.48.0/task_linux_amd64.tar.gz
tar xvzf task_linux_amd64.tar.gz
sudo mv task /usr/local/bin/task
sudo chmod +x /usr/local/bin/task
rm -rf completion LICENSE README.md # folder

Optional:

kn: A small command line tool for changing namespaces and contexts in your kubeconfig.

git config –global –add safe.directory /home/training/exercise sudo git -C /home/training/exercise pull origin main sudo mkdocs build -c -f /home/training/exercise/mkdocs.yml -d /var/www/html/mkdocs