KodeKloud Kubernetes Security CKS Lab Challenge 1 | Image Scanning using Aquasec Trivy | Secure Deployment using AppArmor Profile | PVC to PV binding

 Question : There are 6 images listed in the diagram on the right. Using Aquasec Trivy (which is already installed on the controlplane node), identify the image that has the least number of critical vulnerabilities and use it to deploy the alpha-xyz deployment.

Secure this deployment by enforcing the AppArmor profile called custom-nginx.

Expose this deployment with a NodePort type service and make sure that only incomings connections from the pod called middleware is accepted and everything else is rejected.

Click on each icon to see more details. Once done, click the Check button to test your work.


Click here to see how to submit your solution and win exciting prizes!

• Pod called 'external' is already deployed in the 'alpha' namespace. Inspect it but do not alter it in anyway!

• 'external' pod should NOT be able to connect to 'alpha-svc' on port 80

• Expose the 'alpha-xyz' as a 'ClusterIP' type service called 'alpha-svc'

• 'alpha-svc' should be exposed on 'port: 80' and 'targetPort: 80'

Pod called 'middleware' is already deployed in the 'alpha' namespace. Inspect it but do not alter it in anyway!

• Create a deployment called 'alpha-xyz' that uses the image with the least 'CRITICAL' vulnerabilities? (Use the sample YAML file located at '/root/alpha-xyz.yaml' to create the deployment. Please make sure to use the same names and labels specified in this sample YAML file!) Deployment has exactly '1' ready replica

• 'data-volume' is mounted at '/usr/share/nginx/html' on the pod

• Permitted images are: 'nginx:alpine', 'bitnami/nginx', 'nginx:1.13', 'nginx:1.17', 'nginx:1.16'and 'nginx:1.14'. Use 'trivy' to find the image with the least number of 'CRITICAL' vulnerabilities.

• Create a NetworkPolicy called 'restrict-inbound' in the 'alpha' namespace

• Policy Type = 'Ingress'

• Inbound access only allowed from the pod called 'middleware' with label 'app=middleware'

• Inbound access only allowed to TCP port 80 on pods matching the policy

• 'alpha-pvc' should be bound to 'alpha-pv'. Delete and Re-create it if necessary.

A persistentVolume called 'alpha-pv' has already been created. Do not modify it and inspect the parameters used to create it.

• Move the AppArmor profile '/root/usr.sbin.nginx' to '/etc/apparmor.d/usr.sbin.nginx' on the controlplane node

• Load the 'AppArmor` profile called 'custom-nginx' and ensure it is enforced.

Solution:  

1. Check the  existing pod status

root@controlplane ~ ➜  kubectl get pods -A NAMESPACE     NAME                                   READY   STATUS    RESTARTS      AGE alpha         external                               1/1     Running   0             58s alpha         middleware                             1/1     Running   0             58s kube-system   coredns-64897985d-b8f84                1/1     Running   0             96m kube-system   coredns-64897985d-x4gvx                1/1     Running   0             96m kube-system   etcd-controlplane                      1/1     Running   0             96m kube-system   kube-apiserver-controlplane            1/1     Running   0             96m kube-system   kube-controller-manager-controlplane   1/1     Running   0             96m kube-system   kube-proxy-59b7m                       1/1     Running   0             96m kube-system   kube-scheduler-controlplane            1/1     Running   0             96m kube-system   weave-net-jppcw                        2/2     Running   1 (96m ago)   96m root@controlplane ~ ➜

 2. Check the existing  docker images for nginx

root@controlplane ~ ➜  docker images |grep nginx bitnami/nginx                        latest              bbd28fd1050d        2 days ago          139MB nginx                                alpine              6913ed9ec8d0        9 days ago          42.6MB nginx                                <none>              7d73f57a7cf7        23 months ago       23.4MB nginx                                latest              f2f70adc5d89        23 months ago       142MB nginx                                1.17                9beeba249f3e        3 years ago         127MB nginx                                1.16                dfcfd8e9a5d3        3 years ago         127MB nginx                                1.14                295c7be07902        4 years ago         109MB nginx                                1.13                ae513a47849c        5 years ago         109MB root@controlplane ~ ➜

3. Above nginx images in the given question. So, need to try one by one with trivy that scan the image with the least number of 'CRITICAL' vulnerabilities.

Trivy is a simple and comprehensive vulnerability/misconfiguration scanner for containers and other artifacts.

root@controlplane ~ ➜  trivy bitnami/nginx|grep Total Total: 76 (UNKNOWN: 2, LOW: 12, MEDIUM: 31, HIGH: 28, CRITICAL: 3)  root@controlplane ~ ➜  trivy nginx:alpine |grep Total Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)  root@controlplane ~ ➜  trivy nginx:latest |grep Total Total: 240 (UNKNOWN: 2, LOW: 9, MEDIUM: 113, HIGH: 79, CRITICAL: 27)  root@controlplane ~ ➜  trivy nginx:1.17 |grep Total Total: 325 (UNKNOWN: 6, LOW: 15, MEDIUM: 141, HIGH: 120, CRITICAL: 43)  root@controlplane ~ ➜  trivy nginx:1.16 |grep Total Total: 329 (UNKNOWN: 6, LOW: 15, MEDIUM: 143, HIGH: 122, CRITICAL: 43)  root@controlplane ~ ➜  trivy nginx:1.14 |grep Total Total: 458 (UNKNOWN: 13, LOW: 18, MEDIUM: 196, HIGH: 167, CRITICAL: 64)  root@controlplane ~ ➜  trivy nginx:1.13 |grep Total Total: 533 (UNKNOWN: 15, LOW: 22, MEDIUM: 211, HIGH: 200, CRITICAL: 85)

4. we found nginx:alpine is less the vulnerability than other images. So, we will use this image under deployment as a image.

root@controlplane ~ ➜  vi alpha-deploy.yml  root@controlplane ~ ➜  cat alpha-deploy.yml |grep nginx         container.apparmor.security.beta.kubernetes.io/nginx: localhost/custom-nginx       - image: nginx:alpine         name: nginx             mountPath: /usr/share/nginx/html  root@controlplane ~ ➜

5. PersistentVolume 'alpha-pvc' has already been created. Inspect parameters i.e. 'accessModes' & 'capacity' and modify PVC accordingly

root@controlplane ~ ➜  kubectl get pvc -A                 NAMESPACE   NAME        STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS    AGE                 alpha       alpha-pvc   Pending                                      local-storage   4m35s root@controlplane ~ ➜   root@controlplane ~ ➜  kubectl edit pvc -n alpha error: persistentvolumeclaims "alpha-pvc" is invalid A copy of your changes has been stored to "/tmp/kubectl-edit-1269822153.yaml" error: Edit cancelled, no valid changes were saved. root@controlplane ~ ➜   root@controlplane ~ ✖ kubectl apply --force -f /tmp/kubectl-edit-1269822153.yaml persistentvolumeclaim/alpha-pvc configured  root@controlplane ~ ➜  kubectl get pvc -A NAMESPACE   NAME        STATUS   VOLUME     CAPACITY   ACCESS MODES   STORAGECLASS    AGE alpha       alpha-pvc   Bound    alpha-pv   1Gi        RWX            local-storage   8s  root@controlplane ~ ➜

6. Move the AppArmor profile '/root/usr.sbin.nginx' to '/etc/apparmor.d/usr.sbin.nginx' on the controlplane node & Load the 'AppArmor` profile called 'custom-nginx' and ensure it is enforced.

root@controlplane ~ ➜  mv usr.sbin.nginx  /etc/apparmor.d/  root@controlplane ~ ➜  aa-status |grep nginx  root@controlplane ~ ➜ aa-enforce  /etc/apparmor.d/usr.sbin.nginx Setting /etc/apparmor.d/usr.sbin.nginx to enforce mode.  root@controlplane ~ ➜  aa-status |grep nginx    custom-nginx  root@controlplane ~ ➜

7. Run the  deployment as a less critical  image.

root@controlplane ~ ➜  kubectl apply -f alpha-deploy.yml deployment.apps/alpha-xyz created networkpolicy.networking.k8s.io/restrict-inbound created service/alpha-svc created  root@controlplane ~ ➜   root@controlplane ~ ➜  kubectl get deploy -A NAMESPACE     NAME        READY   UP-TO-DATE   AVAILABLE   AGE alpha         alpha-xyz   1/1     1            1           13s kube-system   coredns     2/2     2            2           8h  root@controlplane ~ ➜   root@controlplane ~ ➜  kubectl get pods -n alpha NAME                        READY   STATUS    RESTARTS   AGE alpha-xyz-68cbd57f9-f94pp   1/1     Running   0          39s external                    1/1     Running   0          20m middleware                  1/1     Running   0          20m  root@controlplane ~ ➜  root@controlplane ~ ➜  kubectl get svc -n alpha NAME        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE alpha-svc   ClusterIP   10.109.218.80   <none>        80/TCP    62s  root@controlplane ~ ➜

Created  YAML  files with all the parameters, Kindly clone repo or you can copy from GitLab 

git clone https://gitlab.com/nb-tech-support/devops.git

8. Click on Check & Confirm to complete the task successfully

Happy Learning!!!!

Apart from this if you need more clarity,  I have made a  tutorial video on this , please go through and share your comments. Like and share the knowledge