Skip to content

Latest commit

 

History

History
47 lines (38 loc) · 3.34 KB

README-K8S.md

File metadata and controls

47 lines (38 loc) · 3.34 KB

Kubernetes based Todolist + Log4Shell exploit

To deploy Todolist on Kubernetes along with the needed ldap backend for exploiting the Log4shell vulnerability:

Prerequisites

  1. A kubernetes cluster where you have permissions to create namespaces, deployments and services
  2. The kubectl client and credenials configuration
  3. Docker Desktop or docker-ce (for building and pushing images)
  4. A DockerHub account that you are logged in with at the command prompt (via docker login)

Quickstart

Assuming you have your kubernetes cluster up and ready, from the top level of this repo you can run ./k8s-quickstart.sh which will do the following:

  1. Builds todolist-goof image and pushes it to Docker Hub. (see below for account/tagging info)
  2. Deploys the todolist to the default namespace in your kubernetes cluster along with a LoadBalancer type service
  3. Builds the log4shell-server image and pushes to Docker Hub. (see below for account/tagging info)
  4. Deploys the log4shell-server and a pair of ClusterIP type services into a new namespace named darkweb in your Kubernetes cluster.

NOTE: You will be prompted for your DockerHub account in order for the scripts to tag, push and pull the images. If you set and environmental variable named DOCKER_ACCOUNT to that account name, the script will pre-populate that prompt with it.

export DOCKER_ACCOUNT="yourdockeraccount"

Accessing the application

Once complete, run kubectl get svc and note the IP Address or hostname of the goof service.

You should be able to open a browser to http://{svc-ip-addr}/todolist and see the app

EKS cluster notes

  • In order to perform NetworkPolicy egress examples, you will need to deploy the Calico CNI plugin as EKS does not implement NetworkPolicy by default. The eks-calico.sh script in todolist-goof/k8s will deploy this for you. (that script is sym-linked to the top level here too)
  • You should log into the AWS console and change inbound access for the good service's ELB to only allow your home IP, otherwise you will have audience members trying to mess with it.

Docker Desktop Kubernetes notes

  • Docker Desktop automatically serves the goof service loadblancer external IP to your workstation's localhost so the app will be available at http://localhost/todolist
  • Docker Desktop Kubernetes CNI does not implement Network Policy so you will not be able to demonstrate any mitigation techniques that use that.

Kind (Kubernetes on Docker) notes

  • Kind's default CNI does not currently support Network Policy so you should deploy your own using the instructions on their website.
  • If running Kind on top of Docker Desktop, you will need to run a port-forward to access the app. For example, use something like this: kubectl port-forward service/goof 8000:80 and then access it via browser at http://localhost:8000/todolist

Quick cleanup

Run the /.k8s-quickstop.sh script at the top level of this repo which will do the following:

  1. Deletes the todolist deployment and associated service in the default namespace
  2. Deletes the log4shell deployment and associated services in the darkweb namespace and deltes the namespace as well Note: This will not delete any additional objects you may have deployed such as NetworkPolicies.

It is up to you to shut down your Kubernetes cluster as appropriate.