This is a demo of basic security in Kubernetes and Istio.
This includes what problem are there in a service on Kubernetes, and how to protect by Istio.
This demo was used in Open Source Summit Japan 2018.
The slides of demo overview are here.
- Wiretap
attacker try to wiretap the communication in kubernetes cluster. - Spoofing(Already Password Leaked)
attacker try to get secret information by using password. - Worse Case Spoofing(Already Password and Certificate Leaked)
attacker try to get secret information by using password and Istio certificate.
This demo requires Istio and Ingress Controller.
In order to deploy sample apps without Istio, sectest requires Ingress Controller.
-
Istio
- Please see official page.
- Or you can install istio by following steps.
- git clone https://github.com/sh-miyoshi/sectest.git (checkout this repository)
- cd system
- vi helm_values.yaml (If you need)
- ./install-istio.sh
-
Ingress Controller
- You can use Ingress Controller of Managed Kubernetes Services(GKE, AKS, EKS, ...)
- Or install Nginx Ingress Controller locally by following step.
- kubectl apply -f system/ingress-controller-nginx.yaml
-
deploy sample application
- create secret file
cd kubernetes ./make_secret.sh- deploy apps by kubectl command and access from your web browser
cd kubernetes kubectl apply -f . * access to https://<ingress-controller-address>- check program
please input user name and password. If your apps works normally, you can get secret message.
User: "root" Password: "ossj_sectest" -
create attacker and protect by Istio
please see attacker/command_docs/*.txt and attacker/command_docs/countermeasure/*.txt for more detail.