|
| 1 | +# Kubernetes based Todolist + Log4Shell exploit |
| 2 | +To deploy Todolist on Kubernetes along with the needed ldap backend for exploiting the Log4shell |
| 3 | +vulnerability: |
| 4 | + |
| 5 | +## Prerequisites |
| 6 | +1. A kubernetes cluster where you have permissions to create namespaces, deployments and services |
| 7 | +2. The `kubectl` client and credenials configuration |
| 8 | +3. Docker Desktop or docker-ce (for building and pushing images) |
| 9 | +4. A DockerHub account that you are logged in with at the command prompt (via `docker login`) |
| 10 | + |
| 11 | +## Quickstart |
| 12 | +Assuming you have your kubernetes cluster up and ready, from the top level of this repo you can run `./k8s-quickstart.sh` which will do the following: |
| 13 | +1. Builds todolist-goof image and pushes it to Docker Hub. _(see below for account/tagging info)_ |
| 14 | +2. Deploys the todolist to the `default` namespace in your kubernetes cluster along with a LoadBalancer type service |
| 15 | +3. Builds the log4shell-server image and pushes to Docker Hub. _(see below for account/tagging info)_ |
| 16 | +4. Deploys the log4shell-server and a pair of ClusterIP type services into a new namespace named `darkweb` in your Kubernetes cluster. |
| 17 | + |
| 18 | +NOTE: You will be prompted for your DockerHub account in order for the scripts to tag, push and pull the images. |
| 19 | +If you set and environmental variable named `DOCKER_ACCOUNT` to that account name, the script will pre-populate that prompt with it. |
| 20 | +```bash |
| 21 | +export DOCKER_ACCOUNT="yourdockeraccount" |
| 22 | +``` |
| 23 | +## Accessing the application |
| 24 | +Once complete, run `kubectl get svc` and note the IP Address or hostname of the `goof` service. |
| 25 | + |
| 26 | +You should be able to open a browser to http://{svc-ip-addr}/todolist and see the app |
| 27 | + |
| 28 | +#### EKS cluster notes |
| 29 | +* In order to perform NetworkPolicy egress examples, you will need to deploy the Calico CNI plugin as EKS does not implement NetworkPolicy by default. |
| 30 | + The `eks-calico.sh` script in `todolist-goof/k8s` will deploy this for you. (that script is sym-linked to the top level here too) |
| 31 | +* You should log into the AWS console and change inbound access for the good service's ELB to only allow your home IP, otherwise you *will* have audience members trying to mess with it. |
| 32 | + |
| 33 | +#### Docker Desktop Kubernetes notes |
| 34 | +* Docker Desktop automatically serves the goof service loadblancer external IP to your workstation's localhost so the app will be available at http://localhost/todolist |
| 35 | +* Docker Desktop Kubernetes CNI does not implement Network Policy so you will not be able to demonstrate any mitigation techniques that use that. |
| 36 | + |
| 37 | +#### Kind (Kubernetes on Docker) notes |
| 38 | +* Kind's default CNI does not currently support Network Policy so you should deploy your own using the instructions on their website. |
| 39 | +* If running Kind on top of Docker Desktop, you will need to run a port-forward to access the app. For example, use something like this: `kubectl port-forward service/goof 8000:80` and then access it via browser at http://localhost:8000/todolist |
| 40 | + |
| 41 | +## Quick cleanup |
| 42 | +Run the `/.k8s-quickstop.sh` script at the top level of this repo which will do the following: |
| 43 | +1. Deletes the todolist deployment and associated service in the `default` namespace |
| 44 | +2. Deletes the log4shell deployment and associated services in the `darkweb` namespace and deltes the namespace as well |
| 45 | + **Note:** This will not delete any additional objects you may have deployed such as NetworkPolicies. |
| 46 | + |
| 47 | +It is up to you to shut down your Kubernetes cluster as appropriate. |
0 commit comments