This is a demo of security in kubernetes and Istio.
This includes what problem are there in a service on kubernetes, and how to protect by Istio.
This demo was used in Open Source Summit Japan 2018.
The slides of demo overview are here.
- Wiretap
attacker try to wiretap the communication in kubernetes cluster. - Spoofing(Already Password Leaked)
attacker try to get secret information by using password. - Worse Case Spoofing(Already Password and Certificate Leaked)
attacker try to get secret information by using password and Istio certificate.
-
Istio
- To deploy apps in Istio, install Istio to your Kubernetes cluster.
please see more detail at official page - you can install istio by following steps.
- cd system
- vi helm_values.yaml (If you need)
- ./install-istio.sh
- To deploy apps in Istio, install Istio to your Kubernetes cluster.
-
Nginx Ingress Controller
- In order to deploy sample apps without Istio,
sectestrequires Nginx Ingress Controller. - you can install Nginx Ingress Controller by following steps.
- kubectl apply -f system/ingress-controller-nginx.yaml
- In order to deploy sample apps without Istio,
-
deploy sample application
- create secret file
cd kubernetes ./make_secret.sh- deploy apps by kubectl command and access from your web browser
cd kubernetes kubectl apply -f . * access to https://<ingress-controller-address>- check program
please input user name and password. If your apps works normally, you can get secret message.
User: "root" Password: "ossj_sectest" -
create attacker and protect by Istio
please see attacker/command_docs/*.txt and attacker/command_docs/countermeasure/*.txt for more detail.