Container Security Part 3 – Kubernetes Cheat Sheet

EH-Net - Johnson - Container Security Part 3 – Kubernetes Cheat SheetDuring the first two articles of this series, we went from some initial research as a “Quick Dive into Containers, Kubernetes and Security” to a more detailed look at the first steps of actual implementation in “Container Security Part 2 – Benchmarks to the Rescue”. While that mostly covered Docker, my obvious next step was to tackle Kubernetes. This led to not only a much deeper dive but also  to the inevitable glut of information. To make it easier for me, I created a cheat sheet of commands for use in Kubernetes. As my intention was always to share my findings, this ended up being a great companion piece to tag along with my talk at BSides Toronto 2018 titled “Kubernetes –  Security you need to know about it”.

The bulk of this article is the Cheat Sheet itself. But before we get to it, let me give a little background and credit. This is a personal cheat sheet I have made while going through the Learn Kubernetes Basics tutorials, and specifically, “Using Minikube to Create a Cluster”. I used the interactive tutorial, and copied the commands to a cluster in my ESXi server. This cheat sheet does not go through setting up an environment that runs Kubernetes and Docker. This assumes Docker and Minikube are installed. For a non-interactive tutorial follow Hello Minikube.

And now on with the show…

Kubernetes Cheat Sheet

Using Kubeless

To Start

  • minikube version
    • show version
  • minikube start
    • start internal minikube VM cluster
  • kubectl cluster-info
    • list information about the cluster. Such as the IP and port the Kubernetes master is running on.

Deployment

  • kubectl run kubernetes-bootcamp –image=gcr.io/google-samples/kubernetes-bootcamp:v1 –port=8080
    • Deploying imagine Bootcamp from google-samples, exposing on port 8080

Access

  • 2nd terminal – kubectl proxy
    • This allows access to the Pods internally – Allows HTTP Proxy access to the Kubernets API
  • curl http://localhost:8001/version
    • confirm proxy is working
  • export POD_NAME=$(kubectl get pods -o go-template –template ‘{{range .items}}{{.metadata.name}}{{“\n”}}{{end}}’)
    • The tutorial uses this to grab the name of the POD, but not helpful with multiple PODS
    • split command as needed
    • echo Name of the Pod: $POD_NAME
      • simply confirms pod name if using tutorial commands
  •  curl http://localhost:8001/api/v1/namespaces/default/pods/$POD_NAME/proxy/
    • Uses POD_NAME  variable, substitute with appropriate name
    • view information about the POD namespace

Troubleshooting Pods

  • Kubectl get pods
    • List pods
  • Kubectl describe pods <name>
    • gain very detailed information about PDS
  • curl http://localhost:8001/api/v1/namespaces/default/pods/$POD_NAME/proxy/
  • kubectl logs
    • view kubectl logs
  • kubectl exec $POD_NAME env
    • list POD environment varianles
  • kubectl exec -ti $POD_NAME bash
    • Gain terminal access to POD. execute commands from within

Create Service | Exposing an APP via Server

Services is the network category / part of a pod

  • kubectl expose deployment/kubernetes-bootcamp –type=”NodePort” –port 8080
    • NodePort is the ‘external’ port
  • kubectl get services
    • ensure that the service is created
  • kubectl describe services/kubernetes-bootcamp
    • detailed information regarding service
  • export NODE_PORT=$(kubectl get services/kubernetes-bootcamp -o go-template='{{(index .spec.ports 0).nodePort}}’)
    • command from tutorial for getting the nodePort. Do not use if you have more than one pod
  • echo NODE_PORT=$NODE_PORT
    • following tutorial to ensure correct port number
  • curl $(minikube ip):$NODE_PORT
    • following tutorial
  • minikube ip
    • This is the IP to access the services
  • kubectl describe deployment
    • NOT SURE

Labels

*HOW TO CREATE A LABEL*?

  • kubectl label pod kubernetes-bootcamp-5c69669756-np4tt app=v1
    • This will apply a label to a podd
  • kubectl get pods -l app=v1
  • kubectl get pods -l run=kubernetes-bootcamp
    • This will get pods with a label
  • kubectl get services -l run=kubernetes-bootcamp
    • This will get services that are labelled

Deleting a Service

  • kubectl delete service -l run=kubernetes-bootcamp
    • self explanatory

Scaling a deployment

  • root@siem:~# kubectl scale deployments/kubernetes-bootcamp –replicas=4
    • increase or decrease number of pods for a deployment
  • Kubectl get deployments
    • confirm the replicas option has changed
  • kubectl describe deployments/kubernetes-bootcamp
    • get specific deployment
  • export NODE_PORT=$(kubectl get services/kubernetes-bootcamp -o go-template='{{(index .spec.ports 0).nodePort}}’)
    • Tutorial code for grabbing the PORT required for exposing it
  • echo NODE_PORT=$NODE_PORT
  • kubectl expose deployment/kubernetes-bootcamp –type=”NodePort” –port 8080
    • Expose replicas on port 8080

Rolling Updates

  • kubectl get pods

Update Image

  • kubectl set image deployments/kubernetes-bootcamp kubernetes-bootcamp=jocatalin/kubernetes-bootcamp:v2
    • Update image to new one, supply full link

Check image updated

  • kubectl describe services/kubernetes-bootcamp
  • curl $(minikube ip):31937
  • kubectl rollout status deployments/kubernetes-bootcamp

Rollback update

  • Updating forward first:
    • kubectl set image deployments/kubernetes-bootcamp kubernetes-bootcamp=gcr.io/google-samples/kubernetes-bootcamp:v10
  • kubectl rollout undo deployments/kubernetes-bootcamp

Guest Book Application

Please note:

The yaml files are just configuration files for the 1 liners such as:
kubectl expose deployment/frontend –type=”NodePort” –port 80
Download git:

  • $ sudo git clone https://github.com/kubernetes/examples.git
  • $ kubectl apply -f redis-master-deployment.yaml
  • Kubectl get pods
  • $ kubectl logs -f redis-master-55db5f7567-2z42f
  • kubectl apply -f redis-master-service.yaml
  • kubectl get service
  • kubectl apply -f  redis-slave-deployment.yaml
  • kubctl apply -f redis-slave-service.yaml
  • $ kubectl apply -f frontend-deployment.yaml
  • $ kubectl get pods -l app=guestbook -l tier=frontend
  • Can expose as well with:
    • kubectl expose deployment/frontend –type=”NodePort” –port 80
  • $ minikube service frontend –url http://192.168.99.100:31882

Hopefully this Kubernetes Cheat Sheet will help you in your deployments. If you see me at BSides, come say hello. After the talk, I’ll post a link to the slide deck the Comments Section of this article.


 

Author Bio

EH-Net - Containers, Kubernetes and Security - Johnson PicHaydn Johnson advocates Purple Teaming principles as a powerful methodology for improving intra-organizational security and relationships. Having recently moved to internal security, he uses the offsec mindset to create impactful change within his organization. Committed to learning and sharing his skills, he has spoken at multiple conferences in America and Canada, and has published multiple online articles on offensive security. Haydn has a Masters in Information Technology, the OSCP and GXPN certifications. Originally hailing from Australia, Canada is now called home.

Tags:

This topic contains 0 replies, has 1 voice, and was last updated by  Haydn Johnson 3 weeks, 2 days ago.

  • Author
    Posts
  • #169380
     Haydn Johnson 
    Participant

    EH-Net - Johnson - Container Security Part 3 – Kubernetes Cheat SheetDuring the first two articles of this series, we went from some initial research as a “Quick Dive into Containers, Kubernetes and Security” to a more detailed look at the first steps of actual implementation in “Container Security Part 2 – Benchmarks to the Rescue”. While that mostly covered Docker, my obvious next step was to tackle Kubernetes. This led to not only a much deeper dive but also to the inevitable glut of information. To make it easier for me, I created a cheat sheet of commands for use in Kubernetes. As my intention was always to share my findings, this ended up being a great companion piece to tag along with my talk at BSides Toronto 2018 titled “Kubernetes – Security you need to know about it”.

    The bulk of this article is the Cheat Sheet itself. But before we get to it, let me give a little background and credit. This is a personal cheat sheet I have made while going through the Learn Kubernetes Basics tutorials, and specifically, “Using Minikube to Create a Cluster”. I used the interactive tutorial, and copied the commands to a cluster in my ESXI server. This cheat sheet does not go through setting up an environment that runs Kubernetes and Docker. This assumes Docker and Minikube are installed. For a non-interactive tutorial follow Hello Minikube.

    And now on with the show…

    [See the full article at: Container Security Part 3 – Kubernetes Cheat Sheet]

You must be logged in to reply to this topic.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Copyright ©2018 Caendra, Inc.

Sign in with Caendra

Forgot password?Sign up

Forgot your details?