Kustomizegoat - Vulnerable Kustomize Kubernetes templates for training and education

Overview

KustomizeGoat - Vulnerable by design Kustomize deployment

Maintained by Bridgecrew.io

Terragoat

Demonstrating secure and non secure kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.

Whats in the repo

The manifests are based on the following blog post, which demonstrates howto take a basic NGINX kubernetes deployment with many security issues, and use checkov to produce a fully compliant manifest to acheive the same NGINX deployment.

Using kustomize overlays (environments) we see both forms of these configurations here:

  • kustomize/base - Our base manifests, similar to the starting manifests in the blog post, insecure.

  • kustomize/overlays/test - A few security updates, but still a lot of non compliance.

  • kustomize/overlays/dev - An example of an empty overlay, produces the same results as base when merged with kustomize build

  • kustomize/overlays/prod - Fully compliant additions to base, this overlay renders a clean bill of health when scanned with Checkov.io's new Kustomize support!

Scanning with Checkov.io

Simply clone this repository, and point checkov at the git checkout path, Checkov's Kustomize framework will traverse the directories, find bases and overlays and template them out, finally running all of the builtin Kubernetes security policies against each of the rendered templates.

checkov --framework kustomize -d ./kustomizegoat

Checkov Kustomize Output

Checkov will provide results for each base and each overlay seperately, allowing you to see misconfigurations specific to each environment and wether those security issues are inherited from your base manifests.

To see this more clearly, we can ask Checkov to just return a single policy, such as CKV_K8S_11: CPU limits should be set from the CIS Kubernetes guidelines.

Here we can clearly see only the prod overlay passes, with all over overlays (and the base manifests) failing the policy.

Checkov Kustomize Output

We also added the --compact flag to reduce CLI output for the screenshots, otherwise the specific templated manifest would also be shown with the failed policies, like so:

Checkov Kustomize Output

Contributing

PR's and suggestions for further examples which highlight Kubernetes security posture are always welcome!

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application
  • KustomizeGoat - Vulnerable by design kustomize deployment
You might also like...

Campus hiring and training automation platform.

⚡ Supported Use Cases Student register themselves on the portal Student fills details in their academic profile Student opt for campus hiring / intern

Aug 24, 2022

🧙 Mage is an open-source data management platform that helps you clean data and prepare it for training AI/ML models.

🧙 Mage is an open-source data management platform that helps you clean data and prepare it for training AI/ML models.

Intro Mage is an open-source data management platform that helps you clean data and prepare it for training AI/ML models. What does this do? The curre

Jan 4, 2023

A tool to build courses and training decks.

Training platform 🎓 You can read more about this project on our blog 🇫🇷 Quick start pipenv shell # Start infrastructure (database, local email ser

Nov 23, 2022

Xtreme1 - The Next GEN Platform for Multisensory Training Data.

Xtreme1  - The Next GEN Platform for Multisensory Training Data.

Intro BasicAI Xtreme1 is an open-source suite that speedily develops and iterates your datasets and models. The built-in AI-assisted tools take your l

Dec 30, 2022

Odoo Javascript Framework Training (public version)

Introduction to JS framework Introduction For this training, we will put ourselves in the shoes of the IT staff for the fictional Awesome T-Shirt comp

Dec 16, 2022

Palaemon is an open-source developer tool for monitoring health and resource metrics of Kubernetes clusters and analyzing Out of Memory (OOMKill) errors

Palaemon is an open-source developer tool for monitoring health and resource metrics of Kubernetes clusters and analyzing Out of Memory (OOMKill) errors

Palaemon 🍤 🍤 An Electron based developer tool for Kubernetes cluster monitoring and error analysis Palaemon is a Greek, child sea-god who came to ai

Dec 28, 2022

A visual overview of Kubernetes architecture and Prometheus metrics

A visual overview of Kubernetes architecture and Prometheus metrics

A visual overview of Kubernetes architecture and Prometheus metrics. Structure Navigate through the structures page to easily see your control planes

Oct 11, 2022

A Kubernetes monitoring tool to visualize large-scale activity and real-time comprehensive metrics within your cluster.

A Kubernetes monitoring tool to visualize large-scale activity and real-time comprehensive metrics within your cluster.

Armada A light-weight Kubernetes health monitoring tool. Summary Armada is an open-source tool for monitoring the health of your Kubernetes cluster. I

Nov 2, 2022

Create deployment files and configure GitHub Actions workflows to deploy applications to Azure Kubernetes Service (AKS).

Create deployment files and configure GitHub Actions workflows to deploy applications to Azure Kubernetes Service (AKS).

Azure Kubernetes Service (AKS) DevX (Developer experience) Extension for Visual Studio Code (Preview) The AKS DevX extension for Visual Studio Code (P

Oct 1, 2022
Owner
Bridgecrew
Secure public cloud infrastructure
Bridgecrew
Grupprojekt för kurserna 'Javascript med Ramverk' och 'Agil Utveckling'

JavaScript-med-Ramverk-Laboration-3 Grupprojektet för kurserna Javascript med Ramverk och Agil Utveckling. Utvecklingsguide För information om hur utv

Svante Jonsson IT-Högskolan 3 May 18, 2022
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023
Invadium runs exploit playbooks against vulnerable target applications in an intuitive, reproducible, and well-defined manner.

Invadium Invadium runs exploits against one or more target applications in an intuitive, reproducable, and well-defined manner. It focuses on bridging

Dynatrace Open Source 10 Nov 6, 2022
Node.js Express + MySQL vulnerable boilerplate project

Node.js Express + MySQL vulnerable boilerplate project

null 13 Sep 16, 2022
Scans your computer for node modules that are potentially vulnerable to supply chain attacks

Scans your computer for node modules that are potentially vulnerable to supply chain attacks. You still need to review the code of modules that are not vulnerable, but this helps.

Brandon Nozaki Miller 4 Apr 11, 2022
Intentionally Vulnerable Nodejs Application & APIs

ivna Intentionally Vulnerable Nodejs Application & APIs Vulnerable Task Manager Application & APIs build using Nodejs,mongoose. Background While learn

null 23 Nov 12, 2022
AWSGoat : A Damn Vulnerable AWS Infrastructure

AWS GOAT Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or

INE Lab Infrastructure 993 Dec 28, 2022
This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript

JavaScream This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript. HOW TO INSTALL (FIREFOX) 1- clone the proje

Davide Cavallini 8 Aug 11, 2022
This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript

JavaScream This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript. HOW TO INSTALL (FIREFOX) 1- clone the proje

Davide Cavallini 7 Aug 3, 2022