Skip to content

Vulnerable Kustomize Kubernetes templates for training and education

Notifications You must be signed in to change notification settings

ChachiTheGhost/kustomizegoat

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

KustomizeGoat - Vulnerable by design Kustomize deployment

Maintained by Bridgecrew.io

Terragoat

Demonstrating secure and non secure kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.

Whats in the repo

The manifests are based on the following blog post, which demonstrates howto take a basic NGINX kubernetes deployment with many security issues, and use checkov to produce a fully compliant manifest to acheive the same NGINX deployment.

Using kustomize overlays (environments) we see both forms of these configurations here:

  • kustomize/base - Our base manifests, similar to the starting manifests in the blog post, insecure.

  • kustomize/overlays/test - A few security updates, but still a lot of non compliance.

  • kustomize/overlays/dev - An example of an empty overlay, produces the same results as base when merged with kustomize build

  • kustomize/overlays/prod - Fully compliant additions to base, this overlay renders a clean bill of health when scanned with Checkov.io's new Kustomize support!

Scanning with Checkov.io

Simply clone this repository, and point checkov at the git checkout path, Checkov's Kustomize framework will traverse the directories, find bases and overlays and template them out, finally running all of the builtin Kubernetes security policies against each of the rendered templates.

checkov --framework kustomize -d ./kustomizegoat

Checkov Kustomize Output

Checkov will provide results for each base and each overlay seperately, allowing you to see misconfigurations specific to each environment and wether those security issues are inherited from your base manifests.

To see this more clearly, we can ask Checkov to just return a single policy, such as CKV_K8S_11: CPU limits should be set from the CIS Kubernetes guidelines.

Here we can clearly see only the prod overlay passes, with all over overlays (and the base manifests) failing the policy.

Checkov Kustomize Output

We also added the --compact flag to reduce CLI output for the screenshots, otherwise the specific templated manifest would also be shown with the failed policies, like so:

Checkov Kustomize Output

Contributing

PR's and suggestions for further examples which highlight Kubernetes security posture are always welcome!

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application
  • KustomizeGoat - Vulnerable by design kustomize deployment

About

Vulnerable Kustomize Kubernetes templates for training and education

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 86.3%
  • Dockerfile 13.7%