diff --git a/lesson-1-introduction-to-microservices-security/exercises/starter/Vagrantfile b/lesson-1-introduction-to-microservices-security/exercises/starter/Vagrantfile index c189705..6dfac3a 100644 --- a/lesson-1-introduction-to-microservices-security/exercises/starter/Vagrantfile +++ b/lesson-1-introduction-to-microservices-security/exercises/starter/Vagrantfile @@ -4,8 +4,8 @@ ENV["TERM"]="linux" Vagrant.configure("2") do |config| # Use any version shown here https://app.vagrantup.com/opensuse/boxes/Leap-15.4.x86_64 - config.vm.box = "opensuse/Leap-15.4.x86_64" - config.vm.box_version = "15.4.13.7" + config.vm.box = "opensuse/Leap-15.6.x86_64" + config.vm.box_version = "15.6.13.356" # st the static IP for the vagrant box config.vm.network "private_network", ip: "192.168.50.4" diff --git a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Dockerfile b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Dockerfile index 518119f..116cd7f 100644 --- a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Dockerfile +++ b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Dockerfile @@ -9,9 +9,11 @@ LABEL maintainer="nick.reva@snap.com" #define version LABEL version="V1" -# create a directory to work in -RUN mkdir udacity \ - && cd udacity +# create a directory to work in (using mkdir -p to avoid errors) +RUN mkdir -p /udacity + +# Set the working directory for subsequent instructions +WORKDIR /udacity #install zypper RUN zypper refs && zypper refresh diff --git a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Vagrantfile b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Vagrantfile index c189705..6dfac3a 100644 --- a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Vagrantfile +++ b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/Vagrantfile @@ -4,8 +4,8 @@ ENV["TERM"]="linux" Vagrant.configure("2") do |config| # Use any version shown here https://app.vagrantup.com/opensuse/boxes/Leap-15.4.x86_64 - config.vm.box = "opensuse/Leap-15.4.x86_64" - config.vm.box_version = "15.4.13.7" + config.vm.box = "opensuse/Leap-15.6.x86_64" + config.vm.box_version = "15.6.13.356" # st the static IP for the vagrant box config.vm.network "private_network", ip: "192.168.50.4" diff --git a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/docs/CIS Docker Bench V1.20.pdf b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/docs/CIS Docker Bench V1.20.pdf deleted file mode 100644 index 31aabe3..0000000 Binary files a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/docs/CIS Docker Bench V1.20.pdf and /dev/null differ diff --git a/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/docs/CIS_Docker_Benchmark_V1.6.0.PDF b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/docs/CIS_Docker_Benchmark_V1.6.0.PDF new file mode 100644 index 0000000..0c19cf1 Binary files /dev/null and b/lesson-3-docker-attack-surface-analysis-and-hardening/exercises/starter/docs/CIS_Docker_Benchmark_V1.6.0.PDF differ diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/cluster.yml b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/cluster.yml deleted file mode 100644 index 7ac4477..0000000 --- a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/cluster.yml +++ /dev/null @@ -1,214 +0,0 @@ -# If you intened to deploy Kubernetes in an air-gapped environment, -# please consult the documentation on how to configure custom RKE images. -nodes: -- address: 192.168.50.101 - port: "22" - internal_address: 192.168.50.101 - role: - - controlplane - - etcd - hostname_override: nodecontrolplane - user: root - docker_socket: /var/run/docker.sock - ssh_key: "" - ssh_key_path: ~/.ssh/id_rsa - ssh_cert: "" - ssh_cert_path: "" - labels: {} - taints: [] -- address: 192.168.50.102 - port: "22" - internal_address: 192.168.50.102 - role: - - worker - hostname_override: nodeworker - user: root - docker_socket: /var/run/docker.sock - ssh_key: "" - ssh_key_path: ~/.ssh/id_rsa - ssh_cert: "" - ssh_cert_path: "" - labels: {} - taints: [] -services: - etcd: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - external_urls: [] - ca_cert: "" - cert: "" - key: "" - path: "" - uid: 0 - gid: 0 - snapshot: null - retention: "" - creation: "" - backup_config: null - kube-api: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - service_cluster_ip_range: 10.43.0.0/16 - service_node_port_range: "" - pod_security_policy: false - always_pull_images: false - secrets_encryption_config: null - audit_log: null - admission_configuration: null - event_rate_limit: null - kube-controller: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - cluster_cidr: 10.42.0.0/16 - service_cluster_ip_range: 10.43.0.0/16 - scheduler: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - kubelet: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - cluster_domain: cluster.local - infra_container_image: "" - cluster_dns_server: 10.43.0.10 - fail_swap_on: false - generate_serving_certificate: false - kubeproxy: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] -network: - plugin: calico - options: {} - mtu: 0 - node_selector: {} - update_strategy: null - tolerations: [] -authentication: - strategy: x509 - sans: [] - webhook: null -addons: "" -addons_include: [] -system_images: - etcd: rancher/coreos-etcd:v3.4.14-rancher1 - alpine: rancher/rke-tools:v0.1.72 - nginx_proxy: rancher/rke-tools:v0.1.72 - cert_downloader: rancher/rke-tools:v0.1.72 - kubernetes_services_sidecar: rancher/rke-tools:v0.1.72 - kubedns: rancher/k8s-dns-kube-dns:1.15.10 - dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.10 - kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.10 - kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1 - coredns: rancher/coredns-coredns:1.8.0 - coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1 - nodelocal: rancher/k8s-dns-node-cache:1.15.13 - kubernetes: rancher/hyperkube:v1.20.4-rancher1 - flannel: rancher/coreos-flannel:v0.13.0-rancher1 - flannel_cni: rancher/flannel-cni:v0.3.0-rancher6 - calico_node: rancher/calico-node:v3.17.2 - calico_cni: rancher/calico-cni:v3.17.2 - calico_controllers: rancher/calico-kube-controllers:v3.17.2 - calico_ctl: rancher/calico-ctl:v3.17.2 - calico_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2 - canal_node: rancher/calico-node:v3.17.2 - canal_cni: rancher/calico-cni:v3.17.2 - canal_controllers: rancher/calico-kube-controllers:v3.17.2 - canal_flannel: rancher/coreos-flannel:v0.13.0-rancher1 - canal_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2 - weave_node: weaveworks/weave-kube:2.8.1 - weave_cni: weaveworks/weave-npc:2.8.1 - pod_infra_container: rancher/pause:3.2 - ingress: rancher/nginx-ingress-controller:nginx-0.43.0-rancher1 - ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1 - metrics_server: rancher/metrics-server:v0.4.1 - windows_pod_infra_container: rancher/kubelet-pause:v0.1.6 - aci_cni_deploy_container: noiro/cnideploy:5.1.1.0.1ae238a - aci_host_container: noiro/aci-containers-host:5.1.1.0.1ae238a - aci_opflex_container: noiro/opflex:5.1.1.0.1ae238a - aci_mcast_container: noiro/opflex:5.1.1.0.1ae238a - aci_ovs_container: noiro/openvswitch:5.1.1.0.1ae238a - aci_controller_container: noiro/aci-containers-controller:5.1.1.0.1ae238a - aci_gbp_server_container: noiro/gbp-server:5.1.1.0.1ae238a - aci_opflex_server_container: noiro/opflex-server:5.1.1.0.1ae238a -ssh_key_path: ~/.ssh/id_rsa -ssh_cert_path: "" -ssh_agent_auth: false -authorization: - mode: rbac - options: {} -ignore_docker_version: null -kubernetes_version: "" -private_registries: [] -ingress: - provider: "" - options: {} - node_selector: {} - extra_args: {} - dns_policy: "" - extra_envs: [] - extra_volumes: [] - extra_volume_mounts: [] - update_strategy: null - http_port: 0 - https_port: 0 - network_mode: "" - tolerations: [] - default_backend: null - default_http_backend_priority_class_name: "" - nginx_ingress_controller_priority_class_name: "" -cluster_name: "" -cloud_provider: - name: "" -prefix_path: "" -win_prefix_path: "" -addon_job_timeout: 0 -bastion_host: - address: "" - port: "" - user: "" - ssh_key: "" - ssh_key_path: "" - ssh_cert: "" - ssh_cert_path: "" -monitoring: - provider: "" - options: {} - node_selector: {} - update_strategy: null - replicas: null - tolerations: [] - metrics_server_priority_class_name: "" -restore: - restore: false - snapshot_name: "" -rotate_encryption_key: false -dns: null diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/Vagrantfile b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/Vagrantfile index 5bef0fb..9a02da7 100644 --- a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/Vagrantfile +++ b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/Vagrantfile @@ -16,16 +16,18 @@ Vagrant.configure("2") do |config| # set base image for the vagrant box # config.vm.box = "opensuse/Leap-15.2.x86_64" # Use any version shown here https://app.vagrantup.com/opensuse/boxes/Leap-15.4.x86_64 - config.vm.box = "opensuse/Leap-15.4.x86_64" - config.vm.box_version = "15.4.13.7" - config.vm.hostname = "node#{i}" + config.vm.box = "opensuse/Leap-15.6.x86_64" + config.vm.box_version = "15.6.13.356" + + # Set a unique hostname for each node + node.vm.hostname = "node#{i}" # set the static IP for the vagrant box node.vm.network "private_network", ip: "192.168.50.10#{i}" # configure the parameters for VirtualBox provider node.vm.provider "virtualbox" do |v| v.name = "node#{i}" - v.memory = 2048 + v.memory = 4096 v.cpus = 2 end # Bootstrap the machine diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/agent-config.yaml b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/agent-config.yaml new file mode 100644 index 0000000..789213a --- /dev/null +++ b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/agent-config.yaml @@ -0,0 +1,8 @@ +token: YOUR_SHARED_TOKEN +server: https://192.168.50.101:9345 +node-name: node2 +node-ip: 192.168.50.102 +cni: calico +disable-swap: true +# k3s-agent-args: +# - "--node-label=node-role.kubernetes.io/worker=true" \ No newline at end of file diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/bootstrap.sh b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/bootstrap.sh index 3c28024..60f475c 100644 --- a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/bootstrap.sh +++ b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/bootstrap.sh @@ -15,14 +15,20 @@ echo "[TASK 3] Disable apparmor" systemctl stop apparmor systemctl disable apparmor -echo "[TASK 4] Set up rke user" -useradd rke -usermod -a -G docker rke -systemctl restart docker +# echo "[TASK 4] Set up rke user" +# useradd rke +# usermod -a -G docker rke +# systemctl restart docker -echo "[TASK 5] Copy auth_keys for rke user" -mkdir -p /home/rke/.ssh -usermod -d /home/rke/ rke -cp /root/.ssh/authorized_keys /home/rke/.ssh -chown rke /home/rke -R +# echo "[TASK 5] Copy auth_keys for rke user" +# mkdir -p /home/rke/.ssh +# usermod -d /home/rke/ rke +# cp /root/.ssh/authorized_keys /home/rke/.ssh +# chown rke /home/rke -R +echo "[TASK 6] Install kubectl" +# Download and install kubectl +curl -LO "https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl" +sudo mv kubectl /usr/local/bin/ +sudo chmod +x /usr/local/bin/kubectl +echo "kubectl installed successfully." \ No newline at end of file diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/cluster.yml b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/cluster.yml deleted file mode 100644 index ca16615..0000000 --- a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/cluster.yml +++ /dev/null @@ -1,215 +0,0 @@ -# If you intened to deploy Kubernetes in an air-gapped environment, -# please consult the documentation on how to configure custom RKE images. -nodes: -- address: 192.168.50.101 - port: "22" - internal_address: 192.168.50.101 - role: - - controlplane - - etcd - - worker - hostname_override: node1 - user: root - docker_socket: /var/run/docker.sock - ssh_key: "" - ssh_key_path: ~/.ssh/id_rsa - ssh_cert: "" - ssh_cert_path: "" - labels: {} - taints: [] -- address: 192.168.50.102 - port: "22" - internal_address: 192.168.50.102 - role: - - worker - hostname_override: node2 - user: root - docker_socket: /var/run/docker.sock - ssh_key: "" - ssh_key_path: ~/.ssh/id_rsa - ssh_cert: "" - ssh_cert_path: "" - labels: {} - taints: [] -services: - etcd: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - external_urls: [] - ca_cert: "" - cert: "" - key: "" - path: "" - uid: 0 - gid: 0 - snapshot: null - retention: "" - creation: "" - backup_config: null - kube-api: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - service_cluster_ip_range: 10.43.0.0/16 - service_node_port_range: "" - pod_security_policy: false - always_pull_images: false - secrets_encryption_config: null - audit_log: null - admission_configuration: null - event_rate_limit: null - kube-controller: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - cluster_cidr: 10.42.0.0/16 - service_cluster_ip_range: 10.43.0.0/16 - scheduler: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - kubelet: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - cluster_domain: cluster.local - infra_container_image: "" - cluster_dns_server: 10.43.0.10 - fail_swap_on: false - generate_serving_certificate: false - kubeproxy: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] -network: - plugin: calico - options: {} - mtu: 0 - node_selector: {} - update_strategy: null - tolerations: [] -authentication: - strategy: x509 - sans: [] - webhook: null -addons: "" -addons_include: [] -system_images: - etcd: rancher/coreos-etcd:v3.4.14-rancher1 - alpine: rancher/rke-tools:v0.1.72 - nginx_proxy: rancher/rke-tools:v0.1.72 - cert_downloader: rancher/rke-tools:v0.1.72 - kubernetes_services_sidecar: rancher/rke-tools:v0.1.72 - kubedns: rancher/k8s-dns-kube-dns:1.15.10 - dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.10 - kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.10 - kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1 - coredns: rancher/coredns-coredns:1.8.0 - coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1 - nodelocal: rancher/k8s-dns-node-cache:1.15.13 - kubernetes: rancher/hyperkube:v1.20.4-rancher1 - flannel: rancher/coreos-flannel:v0.13.0-rancher1 - flannel_cni: rancher/flannel-cni:v0.3.0-rancher6 - calico_node: rancher/calico-node:v3.17.2 - calico_cni: rancher/calico-cni:v3.17.2 - calico_controllers: rancher/calico-kube-controllers:v3.17.2 - calico_ctl: rancher/calico-ctl:v3.17.2 - calico_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2 - canal_node: rancher/calico-node:v3.17.2 - canal_cni: rancher/calico-cni:v3.17.2 - canal_controllers: rancher/calico-kube-controllers:v3.17.2 - canal_flannel: rancher/coreos-flannel:v0.13.0-rancher1 - canal_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2 - weave_node: weaveworks/weave-kube:2.8.1 - weave_cni: weaveworks/weave-npc:2.8.1 - pod_infra_container: rancher/pause:3.2 - ingress: rancher/nginx-ingress-controller:nginx-0.43.0-rancher1 - ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1 - metrics_server: rancher/metrics-server:v0.4.1 - windows_pod_infra_container: rancher/kubelet-pause:v0.1.6 - aci_cni_deploy_container: noiro/cnideploy:5.1.1.0.1ae238a - aci_host_container: noiro/aci-containers-host:5.1.1.0.1ae238a - aci_opflex_container: noiro/opflex:5.1.1.0.1ae238a - aci_mcast_container: noiro/opflex:5.1.1.0.1ae238a - aci_ovs_container: noiro/openvswitch:5.1.1.0.1ae238a - aci_controller_container: noiro/aci-containers-controller:5.1.1.0.1ae238a - aci_gbp_server_container: noiro/gbp-server:5.1.1.0.1ae238a - aci_opflex_server_container: noiro/opflex-server:5.1.1.0.1ae238a -ssh_key_path: ~/.ssh/id_rsa -ssh_cert_path: "" -ssh_agent_auth: false -authorization: - mode: rbac - options: {} -ignore_docker_version: null -kubernetes_version: "" -private_registries: [] -ingress: - provider: "" - options: {} - node_selector: {} - extra_args: {} - dns_policy: "" - extra_envs: [] - extra_volumes: [] - extra_volume_mounts: [] - update_strategy: null - http_port: 0 - https_port: 0 - network_mode: "" - tolerations: [] - default_backend: null - default_http_backend_priority_class_name: "" - nginx_ingress_controller_priority_class_name: "" -cluster_name: "" -cloud_provider: - name: "" -prefix_path: "" -win_prefix_path: "" -addon_job_timeout: 0 -bastion_host: - address: "" - port: "" - user: "" - ssh_key: "" - ssh_key_path: "" - ssh_cert: "" - ssh_cert_path: "" -monitoring: - provider: "" - options: {} - node_selector: {} - update_strategy: null - replicas: null - tolerations: [] - metrics_server_priority_class_name: "" -restore: - restore: false - snapshot_name: "" -rotate_encryption_key: false -dns: null diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/docs/CIS Kubernetes Benchmark v1.10 PDF.pdf b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/docs/CIS Kubernetes Benchmark v1.10 PDF.pdf new file mode 100644 index 0000000..5095bd2 Binary files /dev/null and b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/docs/CIS Kubernetes Benchmark v1.10 PDF.pdf differ diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/docs/CIS_Kubernetes_Benchmark_v1.6.0.pdf b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/docs/CIS_Kubernetes_Benchmark_v1.6.0.pdf deleted file mode 100644 index d53c043..0000000 Binary files a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/docs/CIS_Kubernetes_Benchmark_v1.6.0.pdf and /dev/null differ diff --git a/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/server-config.yaml b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/server-config.yaml new file mode 100644 index 0000000..3af4637 --- /dev/null +++ b/lesson-4-kubernetes-attack-surface-and-hardening/exercises/starter/server-config.yaml @@ -0,0 +1,12 @@ +node-name: node1 +node-ip: 192.168.50.101 +advertise-address: 192.168.50.101 +tls-san: + - 192.168.50.101 +cni: calico +cluster-cidr: 10.42.0.0/16 +service-cidr: 10.43.0.0/16 +cluster-domain: cluster.local +disable-swap: true +# k3s-server-args: +# - "--node-label=node-role.kubernetes.io/worker=true" \ No newline at end of file diff --git a/lesson-5-software-composition-analysis/exercises/starter/vuln_app/requirements.txt b/lesson-5-software-composition-analysis/exercises/starter/vuln_app/requirements.txt index 6b37c81..be6ed8d 100644 --- a/lesson-5-software-composition-analysis/exercises/starter/vuln_app/requirements.txt +++ b/lesson-5-software-composition-analysis/exercises/starter/vuln_app/requirements.txt @@ -1,18 +1,18 @@ aiohttp-jinja2==1.1.0 aiohttp-session==2.7.0 -aiohttp==4.0.0a0 +aiohttp==3.5.3 aiopg==0.15.0 aioredis==1.2.0 async-timeout==3.0.1 # via aiohttp, aioredis attrs==18.2.0 # via aiohttp chardet==3.0.4 # via aiohttp -hiredis==1.0.0 # via aioredis +hiredis==0.3.1 # via aioredis idna==2.8 # via yarl -jinja2==2.11.3 # via aiohttp-jinja2 +jinja2==2.10 # via aiohttp-jinja2 markupsafe==1.1.0 # via jinja2 multidict==4.5.2 # via aiohttp, yarl psycopg2==2.7.6.1 # via aiopg -pyyaml==5.4.1 +pyyaml==3.13 trafaret-config==2.0.2 trafaret==1.2.0 yarl==1.3.0 # via aiohttp diff --git a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/Vagrantfile b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/Vagrantfile index 6539b41..ee35876 100644 --- a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/Vagrantfile +++ b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/Vagrantfile @@ -15,11 +15,13 @@ Vagrant.configure("2") do |config| config.vm.define "node#{i}" do |node| # set base image for the vagrant box # Use any version shown here https://app.vagrantup.com/opensuse/boxes/Leap-15.4.x86_64 - config.vm.box = "opensuse/Leap-15.4.x86_64" - config.vm.box_version = "15.4.13.7" + config.vm.box = "opensuse/Leap-15.6.x86_64" + config.vm.box_version = "15.6.13.356" # Run ifconfig or ip a to find the appropriate interface - config.vm.network "public_network", :adapter=>3, bridge: "br1" + # config.vm.network "public_network", :adapter=>3, bridge: "br1" + # This is for the cloud lab environment if you are setting up a local environment uncomment the above line. Comment the below line + config.vm.network "public_network", :adapter=>3, bridge: "eth0" # NOTE: This will enable public access to the opened port # config.vm.network "forwarded_port", guest: 8080, host: 8080 @@ -33,7 +35,7 @@ Vagrant.configure("2") do |config| # configure the parameters for VirtualBox provider node.vm.provider "virtualbox" do |v| v.name = "node#{i}" - v.memory = 4096 + v.memory = 8192 v.cpus = 2 end # Bootstrap the machine diff --git a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/agent-config.yaml b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/agent-config.yaml new file mode 100644 index 0000000..789213a --- /dev/null +++ b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/agent-config.yaml @@ -0,0 +1,8 @@ +token: YOUR_SHARED_TOKEN +server: https://192.168.50.101:9345 +node-name: node2 +node-ip: 192.168.50.102 +cni: calico +disable-swap: true +# k3s-agent-args: +# - "--node-label=node-role.kubernetes.io/worker=true" \ No newline at end of file diff --git a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/bootstrap.sh b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/bootstrap.sh index 89b29d4..3efa9b3 100644 --- a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/bootstrap.sh +++ b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/bootstrap.sh @@ -15,13 +15,20 @@ echo "[TASK 3] Disable apparmor" systemctl stop apparmor systemctl disable apparmor -echo "[TASK 4] Set up rke user" -useradd rke -usermod -a -G docker rke -systemctl restart docker +# echo "[TASK 4] Set up rke user" +# useradd rke +# usermod -a -G docker rke +# systemctl restart docker + +# echo "[TASK 5] Copy auth_keys for rke user" +# mkdir -p /home/rke/.ssh +# usermod -d /home/rke/ rke +# cp /root/.ssh/authorized_keys /home/rke/.ssh +# chown rke /home/rke -R -echo "[TASK 5] Copy auth_keys for rke user" -mkdir -p /home/rke/.ssh -usermod -d /home/rke/ rke -cp /root/.ssh/authorized_keys /home/rke/.ssh -chown rke /home/rke -R +echo "[TASK 6] Install kubectl" +# Download and install kubectl +curl -LO "https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl" +sudo mv kubectl /usr/local/bin/ +sudo chmod +x /usr/local/bin/kubectl +echo "kubectl installed successfully." diff --git a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/cluster.yml b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/cluster.yml deleted file mode 100644 index f00e9ba..0000000 --- a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/cluster.yml +++ /dev/null @@ -1,201 +0,0 @@ -# If you intened to deploy Kubernetes in an air-gapped environment, -# please consult the documentation on how to configure custom RKE images. -nodes: -- address: 192.168.50.101 - port: "22" - internal_address: 192.168.50.101 - role: - - controlplane - - worker - - etcd - hostname_override: localhost - user: root - docker_socket: /var/run/docker.sock - ssh_key: "" - ssh_key_path: ~/.ssh/id_rsa - ssh_cert: "" - ssh_cert_path: "" - labels: {} - taints: [] -services: - etcd: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - external_urls: [] - ca_cert: "" - cert: "" - key: "" - path: "" - uid: 0 - gid: 0 - snapshot: null - retention: "" - creation: "" - backup_config: null - kube-api: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - service_cluster_ip_range: 10.43.0.0/16 - service_node_port_range: "" - pod_security_policy: false - always_pull_images: false - secrets_encryption_config: null - audit_log: null - admission_configuration: null - event_rate_limit: null - kube-controller: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - cluster_cidr: 10.42.0.0/16 - service_cluster_ip_range: 10.43.0.0/16 - scheduler: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - kubelet: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] - cluster_domain: cluster.local - infra_container_image: "" - cluster_dns_server: 10.43.0.10 - fail_swap_on: false - generate_serving_certificate: false - kubeproxy: - image: "" - extra_args: {} - extra_binds: [] - extra_env: [] - win_extra_args: {} - win_extra_binds: [] - win_extra_env: [] -network: - plugin: canal - options: {} - mtu: 0 - node_selector: {} - update_strategy: null - tolerations: [] -authentication: - strategy: x509 - sans: [] - webhook: null -addons: "" -addons_include: [] -system_images: - etcd: rancher/coreos-etcd:v3.4.14-rancher1 - alpine: rancher/rke-tools:v0.1.72 - nginx_proxy: rancher/rke-tools:v0.1.72 - cert_downloader: rancher/rke-tools:v0.1.72 - kubernetes_services_sidecar: rancher/rke-tools:v0.1.72 - kubedns: rancher/k8s-dns-kube-dns:1.15.10 - dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.10 - kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.10 - kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1 - coredns: rancher/coredns-coredns:1.8.0 - coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.8.1 - nodelocal: rancher/k8s-dns-node-cache:1.15.13 - kubernetes: rancher/hyperkube:v1.20.4-rancher1 - flannel: rancher/coreos-flannel:v0.13.0-rancher1 - flannel_cni: rancher/flannel-cni:v0.3.0-rancher6 - calico_node: rancher/calico-node:v3.17.2 - calico_cni: rancher/calico-cni:v3.17.2 - calico_controllers: rancher/calico-kube-controllers:v3.17.2 - calico_ctl: rancher/calico-ctl:v3.17.2 - calico_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2 - canal_node: rancher/calico-node:v3.17.2 - canal_cni: rancher/calico-cni:v3.17.2 - canal_controllers: rancher/calico-kube-controllers:v3.17.2 - canal_flannel: rancher/coreos-flannel:v0.13.0-rancher1 - canal_flexvol: rancher/calico-pod2daemon-flexvol:v3.17.2 - weave_node: weaveworks/weave-kube:2.8.1 - weave_cni: weaveworks/weave-npc:2.8.1 - pod_infra_container: rancher/pause:3.2 - ingress: rancher/nginx-ingress-controller:nginx-0.43.0-rancher1 - ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1 - metrics_server: rancher/metrics-server:v0.4.1 - windows_pod_infra_container: rancher/kubelet-pause:v0.1.6 - aci_cni_deploy_container: noiro/cnideploy:5.1.1.0.1ae238a - aci_host_container: noiro/aci-containers-host:5.1.1.0.1ae238a - aci_opflex_container: noiro/opflex:5.1.1.0.1ae238a - aci_mcast_container: noiro/opflex:5.1.1.0.1ae238a - aci_ovs_container: noiro/openvswitch:5.1.1.0.1ae238a - aci_controller_container: noiro/aci-containers-controller:5.1.1.0.1ae238a - aci_gbp_server_container: noiro/gbp-server:5.1.1.0.1ae238a - aci_opflex_server_container: noiro/opflex-server:5.1.1.0.1ae238a -ssh_key_path: ~/.ssh/id_rsa -ssh_cert_path: "" -ssh_agent_auth: false -authorization: - mode: rbac - options: {} -ignore_docker_version: null -kubernetes_version: "" -private_registries: [] -ingress: - provider: "" - options: {} - node_selector: {} - extra_args: {} - dns_policy: "" - extra_envs: [] - extra_volumes: [] - extra_volume_mounts: [] - update_strategy: null - http_port: 0 - https_port: 0 - network_mode: "" - tolerations: [] - default_backend: null - default_http_backend_priority_class_name: "" - nginx_ingress_controller_priority_class_name: "" -cluster_name: "" -cloud_provider: - name: "" -prefix_path: "" -win_prefix_path: "" -addon_job_timeout: 0 -bastion_host: - address: "" - port: "" - user: "" - ssh_key: "" - ssh_key_path: "" - ssh_cert: "" - ssh_cert_path: "" -monitoring: - provider: "" - options: {} - node_selector: {} - update_strategy: null - replicas: null - tolerations: [] - metrics_server_priority_class_name: "" -restore: - restore: false - snapshot_name: "" -rotate_encryption_key: false -dns: null diff --git a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/payload.sh b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/payload.sh index 1eec6b4..6e1c479 100755 --- a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/payload.sh +++ b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/payload.sh @@ -1,9 +1,9 @@ #!/bin/bash #start monero_cpu_moneropool:latest -kubectl run --kubeconfig kube_config_cluster.yml moneropool --image=servethehome/monero_cpu_moneropool:latest --replicas=1 +kubectl run moneropool --image=servethehome/monero_cpu_moneropool:latest #start xmrpooldotnet -kubectl run --kubeconfig kube_config_cluster.yml xmrpooldotnet --image=servethehome/monero_cpu_xmrpooldotnet:latest --replicas=1 +kubectl run xmrpooldotnet --image=servethehome/monero_cpu_xmrpooldotnet:latest #start minergate -kubectl run --kubeconfig kube_config_cluster.yml minergate --image=servethehome/monero_cpu_minergate:latest --replicas=1 +kubectl run minergate --image=servethehome/monero_cpu_minergate:latest echo "Can you identify the payload(s)?" \ No newline at end of file diff --git a/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/server-config.yaml b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/server-config.yaml new file mode 100644 index 0000000..3af4637 --- /dev/null +++ b/lesson-6-runtime-monitoring-and-incident-response/exercises/starter/server-config.yaml @@ -0,0 +1,12 @@ +node-name: node1 +node-ip: 192.168.50.101 +advertise-address: 192.168.50.101 +tls-san: + - 192.168.50.101 +cni: calico +cluster-cidr: 10.42.0.0/16 +service-cidr: 10.43.0.0/16 +cluster-domain: cluster.local +disable-swap: true +# k3s-server-args: +# - "--node-label=node-role.kubernetes.io/worker=true" \ No newline at end of file