This controller introduces misconfiguration into Kubernetes deployments to test how well your security tooling and processes respond to misconfiguration.
Philosophy Usually, we are waiting around until misconfiguration are introduced into our environments by accident. By using this Misconfiguration Operator, we can intentionally test misconfiguration. If we test intentionally, we already know
- what went wrong &
- how to fix it
This allows us to build a response pipeline in theory, which is then tested in practice. Resulting, we can then analyse whether the real response matches our expected response and
- improve our security tooling and processes
- remove unknows and guessing
To use the Operator, follow these steps.
Prerequisites:
- Access to a Kubernetes cluster, any Kubernetes cluster should work.
Install the Operator:
- Clone the GitHub repository:
git clone https://github.com/AnaisUrlichs/security-controller
- Deploy the controller to the cluster::
make install
Note that this will use the controller image specified in the Makefile.
Create a Custom Resource
The Custom Resources is required to define what changes the Operator should take on your deployments. The template looks as follows:
apiVersion: api.core.anaisurl.com/v1alpha1
kind: Configuration
metadata:
name: configuration-sample
spec:
containerPort: 60
imageTag: "latest"
limits: 400
readOnlyRootFilesystem: false
requests: 300
runAsNonRoot: false
memoryrequests: 80
memorylimits: 130
Modify the template based on the changes that you would like the Operator to make on your deployments.
Next, apply the Custom Resource to your cluster
kubectl apply -f custom-resource.yaml
Set your Deployemnts
Deployments will only be changed by the Operator if the following annotation is set in the deployment.yaml manifest:
metadata:
annotations:
anaisurl.com/misconfiguration: "true"
The deployment will be changed by the operator once per day for as long as it is running inside the Kubernetes cluster and the deployment has the annotation.
Otherwise, the reconcilation loop will run if either of the following is true:
- A new Operator CRD with misconfiguration is deployed to the Kubernetes cluster and the same namespace contains a deployment with the Operator annotation is set to "true".
- A new Deployment is applied to the cluster and the Operator annotation is set to "true".
To delete the CRDs from the cluster:
make uninstall
UnDeploy the controller from the cluster:
make undeploy
Once the Kubernetes Operator is installed inside the Kubernetes cluster, it will go through the following steps:
- Check whether it can find an Operator CRD that tells it which modifications to make on the Kubernetes Deployment. If it is not provided with a CRD, it will not look for a Kubernetes Deployment as it does not know which misconfiguration to apply.
- Access all Deployments through the Kubernetes API that are running inside the cluster.
- Check which Deployments contain the annotation needed to make modifications. If no Kubernetes Deployments are identified, the Operator will not apply the misconfigurations specified in the Operator CRD to any Deployment.
- If the Operator identifies Deployments that contain the annotation, it will add them to a separate list of Deployments.
- If the list is not empty, the Operator will iterate through the new list of Deployments and make modifications to each Deployment in accordance with the misconfiguration provided in the Operator CRD.
- Lastly, it will set the value of ‘anaisurl.com/misconfiguration’ to false. This will prevent the Operator controller loop from trying to access the same Deployment again. The Operator CRD might be modified, which does not mean that the Operator should apply the new misconfiguration to the Deployment that has already been changed.
At this stage, I do not accept any contributions to this project as this is created as part of my Bachelor Thesis.
This project aims to follow the Kubernetes Operator pattern.
It uses Controllers, which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
- Install the CRDs into the cluster:
make deploy
- Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make run
NOTE: You can also run this in one step by running: make install run
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifests
NOTE: Run make --help
for more information on all potential make
targets
More information can be found via the Kubebuilder Documentation
- Build and push your image to the location specified by
IMG
:
make docker-buildx
Copyright 2023 AnaisUrlichs.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.