Merge pull request #94 from qing-root/TerraformGoat-B2

add apiserver unauth and dashboard vul lab

Author: qing-root

kubernetes/apiserver/dashboard/main.tf

@@ -0,0 +1,82 @@
+resource "alicloud_instance" "instance" {
+  security_groups            = alicloud_security_group.group.*.id
+  instance_type              = data.alicloud_instance_types.types_ds.instance_types.0.id
+  image_id                   = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
+  instance_name              = "huocorp_terraform_goat_instance"
+  vswitch_id                 = alicloud_vswitch.vswitch.id
+  system_disk_size           = 20
+  internet_max_bandwidth_out = 100
+  password                   = "Huoxian@123" // 虚拟机密码
+
+  provisioner "file" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+
+    source      = "resource/kk"
+    destination = "/root/kk" // deploy_k8s.sh用来安装k8s
+  }
+
+  provisioner "remote-exec" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+    script = "resource/deploy_k8s.sh"
+  }
+
+  depends_on = [
+    alicloud_security_group.group,
+    alicloud_vswitch.vswitch,
+  ]
+}
+
+resource "alicloud_security_group" "group" {
+  name   = "huocorp_terraform_goat_security_group"
+  vpc_id = alicloud_vpc.vpc.id
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+resource "alicloud_security_group_rule" "allow_all_tcp" {
+  type              = "ingress"
+  ip_protocol       = "tcp"
+  nic_type          = "intranet"
+  policy            = "accept"
+  port_range        = "1/65535" // 允许访问所有端口
+  priority          = 1
+  security_group_id = alicloud_security_group.group.id
+  cidr_ip           = "0.0.0.0/0"
+  depends_on = [
+    alicloud_security_group.group
+  ]
+}
+
+resource "alicloud_vpc" "vpc" {
+  vpc_name   = "huocorp_terraform_goat_vpc"
+  cidr_block = "172.16.0.0/16"
+}
+
+resource "alicloud_vswitch" "vswitch" {
+  vpc_id       = alicloud_vpc.vpc.id
+  cidr_block   = "172.16.0.0/24"
+  zone_id      = "cn-beijing-h"
+  vswitch_name = "huocorp_terraform_goat_vswitch"
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+// kubekey安装k8s集群，配置要求至少 2核4g
+data "alicloud_instance_types" "types_ds" {
+  cpu_core_count = 2
+  memory_size    = 4
+}

kubernetes/apiserver/dashboard/outputs.tf

@@ -0,0 +1,4 @@
+output "dashborad_unauth_lab_address_link" {
+  value       = "http://${alicloud_instance.instance.public_ip}:8001"
+  description = "dashborad un-auth lab address link."
+}

kubernetes/apiserver/dashboard/resource/ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
+cm5ldGVzMB4XDTIyMDUyNTAwMzAwNVoXDTMyMDUyMjAwMzAwNVowFTETMBEGA1UE
+AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALeq
+u/bFhznjf680PsYxipm6lc4yuE+LJNZoonkxTMN7gmnuS9bfi15wARsWL3j3krjq
+j6p/FqwaHqUEYkfPgAPm3SVW7fx2NFCfm4mBMympP3yGYDSI2QfajLvHJJqlommY
+BoGAJY9OoA8HC/lQciRH0ac0b2eWt01u01uUCjVqhKpyoSYScf/w8x3CGDtd/ikW
+tVR9eygk6voB72qNOkGemWIkIu0cdeqCyyV6mZ9NZdZVaKdMrxxD8rSwBIshAHdQ
+og6jMGqZ5vEaFXYIj0l8liouxz46d7FywwSrFQFp3mNkf1gxINs6mUuOtl1wabEM
+54RAV7jyuItYbQUAt8kCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFN+879R6nxWe58q30Bk1woRY2iVWMA0GCSqGSIb3
+DQEBCwUAA4IBAQB2dtMsFOjA5tx9+E62l/6vFPRXoGX+M1bYHGedcocVKGc/0wm+
+oqdJPaYH67XztQdBIWRAXqF/KWj5g0TzZDM0yala1XgPp2ENZzDz/h0ysc2FLix+
+yNNGt2t5Ou3JEEAnuT6DkDjrNlVXgfZu3cPkhWYt2hb59GTDKJ+mZyldXRnjx2hF
+z0uaSgwpBOfvUIRl/WoxaIT/xW7VPBUZpGlWYe5cLXQKhJlmfWG0QpeRTXyh4TnY
+iSGGP4BH4NXMDRSv/WuMWH/6mgzc4n1Ne6J4pdiBx3MXaLDjWPJIekNO8Oza04h2
+bI3DrdZLUY5afZ8/BU27HyS3sBJTFfoxwNSA
+-----END CERTIFICATE-----

kubernetes/apiserver/dashboard/resource/deploy_k8s.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+function deploy_k8s(){
+  export KKZONE=cn
+
+  # /root/kk 已经通过terrraform provisioner拷贝主机
+  chmod 755 /root/kk
+
+  apt-get update -y
+  apt-get install -y conntrack ebtables socat
+
+  /root/kk create cluster --with-kubernetes v1.21.5 -y
+  
+
+
+}
+
+# apiverser没有任何身份认证
+function deploy_vuln_dashboard(){
+  # 备份
+  apiserver_config_path=/etc/kubernetes/manifests/kube-apiserver.yaml
+  command_path=/usr/local/bin/kube-apiserver
+
+
+  #安装dashborad
+  curl https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.0/aio/deploy/recommended.yaml -o ~/recommended.yaml
+
+  #将"system:anonymous"用户绑定到"cluster-admin"用户组
+  kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous
+  echo "[done] 'anonymous cluster-admin ' create"
+
+  # 修改apiserver 配置
+  sed -i '/auto-generate-certificates/a\ \ \ \ -\ --enable-skip-login/' ~/recommended.yaml
+  echo "[done] dashboard config change"
+  kubectl apply -f ~/recommended.yaml
+  sleep 6
+  #打开 dashboard （默认端口 8001）
+  #http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
+  kubectl proxy &
+  sleep 3
+  echo "[done] 'dashborad' restart"
+}
+
+
+deploy_k8s
+echo "[done] 'k8s cluster' deploy" && sleep 60
+deploy_vuln_dashboard

kubernetes/apiserver/dashboard/resource/kk

@@ -0,0 +1,85 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9 (0x9)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=kubernetes
+        Validity
+            Not Before: Jun 23 08:16:19 2022 GMT
+            Not After : Jun 23 08:16:19 2023 GMT
+        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c9:21:00:b4:ad:b7:db:80:68:dd:38:08:29:02:
+                    16:e3:ca:10:f2:7b:95:62:90:16:7f:b1:3e:ac:98:
+                    1e:87:06:59:28:fb:54:86:f6:d2:9f:ef:cf:57:a2:
+                    44:ba:fb:7f:c4:24:a5:d5:2b:ca:c4:ed:c7:03:af:
+                    92:6f:21:ea:8f:80:e7:01:d1:b4:85:d2:43:ff:3a:
+                    f6:84:15:df:8a:05:bb:11:c2:76:39:5f:8a:d6:7d:
+                    97:0f:8d:c4:15:b1:60:4d:f3:e8:3d:dc:ff:94:45:
+                    ea:ae:be:df:94:45:0b:cd:7d:2d:b2:9f:d1:d8:d8:
+                    32:17:01:78:a4:7b:35:e8:b6:24:74:05:57:cb:2e:
+                    10:6d:ec:b8:e7:f1:5f:7b:4f:3b:48:8f:70:d6:9c:
+                    68:d3:2d:3c:22:78:c0:e6:03:89:3b:2a:c8:d3:52:
+                    70:c4:28:78:fb:6b:38:21:ba:75:a4:5f:95:11:ef:
+                    51:f3:bd:35:5d:aa:89:d6:6a:6b:e4:4e:b9:c9:f5:
+                    c8:e1:e6:f6:69:e2:63:2e:6d:02:fe:45:b1:3e:d6:
+                    5c:3d:5d:ff:ac:21:21:15:ed:73:e7:18:2c:ef:a2:
+                    a2:37:bb:61:93:a3:11:bb:f6:67:b4:c4:a1:08:28:
+                    4b:d5:e1:a8:a6:f0:49:c0:ab:07:3a:c3:83:0f:47:
+                    65:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                DB:15:B4:EB:B2:BD:4D:D3:1E:BA:51:D7:C9:69:AF:77:10:43:D1:84
+            X509v3 Authority Key Identifier: 
+                keyid:DF:BC:EF:D4:7A:9F:15:9E:E7:CA:B7:D0:19:35:C2:84:58:DA:25:56
+
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:*.org.example.com, DNS:*.example.com, DNS:agnhost-service.default.svc, IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         97:64:b0:ad:73:25:22:20:9c:40:60:fd:ab:0b:8c:08:de:09:
+         5c:57:23:ab:cc:97:6e:f4:d5:be:1f:64:a1:38:9e:74:31:85:
+         33:ee:94:94:ba:7b:67:0a:00:a2:3c:c8:fd:3c:dd:fa:c0:e3:
+         42:96:09:e5:09:e4:40:a1:a0:61:33:ed:68:27:1d:b2:94:8e:
+         6f:0d:73:72:53:38:73:ec:a9:4b:3f:5e:74:f8:5b:39:7a:99:
+         a6:ec:df:0f:4a:e3:04:e2:78:c2:01:f6:c6:1c:55:d6:e5:1e:
+         f8:28:dd:d1:26:77:cb:7e:22:26:3d:68:52:20:db:bb:06:b9:
+         ea:1e:d5:40:b6:be:f0:74:09:cf:57:d5:82:d5:04:81:59:f9:
+         a0:4f:c8:d1:49:fc:bc:86:88:38:70:17:0a:b5:6b:2d:ce:5c:
+         22:55:a4:ad:3c:e7:ff:3a:c7:52:b1:89:23:9e:0f:05:ac:75:
+         5f:33:ac:a4:d8:a3:c1:6f:37:21:7c:b1:22:23:50:21:7d:db:
+         dc:82:b3:fc:8a:45:1d:16:1b:aa:06:f1:18:f0:90:ce:45:5c:
+         45:03:c8:f6:13:37:0d:a7:57:7b:a0:92:15:e9:39:cf:f8:3b:
+         b8:5f:51:c6:a9:d1:68:0e:2c:e3:42:f3:86:f2:71:1f:79:9b:
+         61:b5:ee:b5
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIBCTANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
+cm5ldGVzMB4XDTIyMDYyMzA4MTYxOVoXDTIzMDYyMzA4MTYxOVowRTELMAkGA1UE
+BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
+ZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkh
+ALStt9uAaN04CCkCFuPKEPJ7lWKQFn+xPqyYHocGWSj7VIb20p/vz1eiRLr7f8Qk
+pdUrysTtxwOvkm8h6o+A5wHRtIXSQ/869oQV34oFuxHCdjlfitZ9lw+NxBWxYE3z
+6D3c/5RF6q6+35RFC819LbKf0djYMhcBeKR7Nei2JHQFV8suEG3suOfxX3tPO0iP
+cNacaNMtPCJ4wOYDiTsqyNNScMQoePtrOCG6daRflRHvUfO9NV2qidZqa+ROucn1
+yOHm9mniYy5tAv5FsT7WXD1d/6whIRXtc+cYLO+ioje7YZOjEbv2Z7TEoQgoS9Xh
+qKbwScCrBzrDgw9HZRECAwEAAaOB2TCB1jAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
+DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU2xW0
+67K9TdMeulHXyWmvdxBD0YQwHwYDVR0jBBgwFoAU37zv1HqfFZ7nyrfQGTXChFja
+JVYwCwYDVR0PBAQDAgXgME4GA1UdEQRHMEWCESoub3JnLmV4YW1wbGUuY29tgg0q
+LmV4YW1wbGUuY29tghthZ25ob3N0LXNlcnZpY2UuZGVmYXVsdC5zdmOHBH8AAAEw
+DQYJKoZIhvcNAQELBQADggEBAJdksK1zJSIgnEBg/asLjAjeCVxXI6vMl2701b4f
+ZKE4nnQxhTPulJS6e2cKAKI8yP083frA40KWCeUJ5EChoGEz7WgnHbKUjm8Nc3JT
+OHPsqUs/XnT4Wzl6mabs3w9K4wTieMIB9sYcVdblHvgo3dEmd8t+IiY9aFIg27sG
+ueoe1UC2vvB0Cc9X1YLVBIFZ+aBPyNFJ/LyGiDhwFwq1ay3OXCJVpK085/86x1Kx
+iSOeDwWsdV8zrKTYo8FvNyF8sSIjUCF929yCs/yKRR0WG6oG8RjwkM5FXEUDyPYT
+Nw2nV3ugkhXpOc/4O7hfUcap0WgOLONC84bycR95m2G17rU=
+-----END CERTIFICATE-----

kubernetes/apiserver/dashboard/resource/server.crt

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAySEAtK2324Bo3TgIKQIW48oQ8nuVYpAWf7E+rJgehwZZKPtU
+hvbSn+/PV6JEuvt/xCSl1SvKxO3HA6+SbyHqj4DnAdG0hdJD/zr2hBXfigW7EcJ2
+OV+K1n2XD43EFbFgTfPoPdz/lEXqrr7flEULzX0tsp/R2NgyFwF4pHs16LYkdAVX
+yy4Qbey45/Ffe087SI9w1pxo0y08InjA5gOJOyrI01JwxCh4+2s4Ibp1pF+VEe9R
+8701XaqJ1mpr5E65yfXI4eb2aeJjLm0C/kWxPtZcPV3/rCEhFe1z5xgs76KiN7th
+k6MRu/ZntMShCChL1eGopvBJwKsHOsODD0dlEQIDAQABAoIBAQC18SHnUAKzEO1L
+uQVAu4AjXcaI5BzVxYxkxNzyWsW61ZZQSVNEqAEO52vEVakhEKOatqBBP1U1YfeX
+MPshhyfd2vieH6rTJ8uVFiysffDytY5tWWGDMxewQnoletP337ZDrjHXzJRy9/B9
+VXOBeBheMi/ll0fIhoKBZzZQbJjuwkLb42QZ8vGAg49bG7C3VLpXVrht335mLWYK
+cDEtXj6tE7ipxjx65PTmw8Rjj6ESOhYrnAJRBek3ngtBJFRwXGtrINy5nHpcE3x5
+0Zg+bpB72DdGv48C3lABYT180UkA/9/CB3ofjrYlzRccvczlXuRAeTdvyjl8bD7m
+dpvgdqdBAoGBAPEPpYxH97DlyjgmHcV2xVKEEASeLyO9dcbx1cZo2lykDrPgkTi5
+ICkJDAJHkMcEpRvIydDXwh4cMB4Idzuweuy4k9Pr3Jz9cjo03PnaHV/27n3gtlk2
+RBcXOMdFHlK3HhVVQseToHDR2+2f1rzQOaYcPSvoscxupeLRpZtq8/dpAoGBANWX
+2FyCZoBD9/YboEb0RlT/Kvct7gfk5Hkot1grDvrxgyFzj36fTVEZ1RX6jHX3aVxD
+0kx4okL8year7eMvi1x0Av9lXXgRIc4ouHdOG+CaG1pjIxkKPLLxYQP89biDI8p1
+C2QnIzOSseaixF61wTASbOrv9K/xex7hXrxW5TNpAoGAcBZParf38vgWHB+VDkEY
+pTKk5BDNaHfq8LN4LEaK6jKaZ4dO3yotSwda3yB5sCB3yUCGnqYEK839jalwD4AS
+2ElG624raY/rcicsbLy/leSSplM7VqYF6RqyGu4HmHxu74pyf6wkGPFrqsT8q1TC
+yXst8mHDcoQsfBfxQh/sCqkCgYAKmUJPNNlJPBYtzCkj3DMxPIgxQ8Iv+hesO2z9
+nwVbRmivXECek+EOSS3drVUS9Xfw8BybVtEWadzK6XUgdNeBevA7JBiDQLZguHyO
+zv1rI7p/vbOcJnnklz2tKPw4b6ly/mPWUGrawEi7nRAJcxNnA0MMVWPa5yyo154P
+0nAFIQKBgQDwMvfdacHwiNTcpn1gTZc7gQE17m8fRIi2oyH3PPclDv8AmoTjnqGi
+YtDrj6NJIBN8XuKKuu+2ptqNXk3PSMDrkv1Zhoo6PrvtwpiUwDoWcANfToEESueH
+za4vAwRqx3MiV91d8Z2/wVu67RTp3+198zCv9eujDuP5dNqAKf77MA==
+-----END RSA PRIVATE KEY-----

kubernetes/apiserver/dashboard/resource/server.key

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    alicloud = {
+      source  = "aliyun/alicloud"
+      version = "1.163.0"
+    }
+  }
+}
+
+provider "alicloud" {
+  profile = "default"
+  region  = "cn-beijing"
+}

kubernetes/apiserver/dashboard/versions.tf

@@ -0,0 +1,82 @@
+resource "alicloud_instance" "instance" {
+  security_groups            = alicloud_security_group.group.*.id
+  instance_type              = data.alicloud_instance_types.types_ds.instance_types.0.id
+  image_id                   = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
+  instance_name              = "huocorp_terraform_goat_instance"
+  vswitch_id                 = alicloud_vswitch.vswitch.id
+  system_disk_size           = 20
+  internet_max_bandwidth_out = 100
+  password                   = "Huoxian@123" // 虚拟机密码
+
+  provisioner "file" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+
+    source      = "resource/kk"
+    destination = "/root/kk" // deploy_k8s.sh用来安装k8s
+  }
+
+  provisioner "remote-exec" {
+    connection {
+      type     = "ssh"
+      host     = self.public_ip
+      user     = "root"
+      password = "Huoxian@123"
+      timeout  = "1h"
+    }
+    script = "resource/deploy_k8s.sh"
+  }
+
+  depends_on = [
+    alicloud_security_group.group,
+    alicloud_vswitch.vswitch,
+  ]
+}
+
+resource "alicloud_security_group" "group" {
+  name   = "huocorp_terraform_goat_security_group"
+  vpc_id = alicloud_vpc.vpc.id
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+resource "alicloud_security_group_rule" "allow_all_tcp" {
+  type              = "ingress"
+  ip_protocol       = "tcp"
+  nic_type          = "intranet"
+  policy            = "accept"
+  port_range        = "1/65535" // 允许访问所有端口
+  priority          = 1
+  security_group_id = alicloud_security_group.group.id
+  cidr_ip           = "0.0.0.0/0"
+  depends_on = [
+    alicloud_security_group.group
+  ]
+}
+
+resource "alicloud_vpc" "vpc" {
+  vpc_name   = "huocorp_terraform_goat_vpc"
+  cidr_block = "172.16.0.0/16"
+}
+
+resource "alicloud_vswitch" "vswitch" {
+  vpc_id       = alicloud_vpc.vpc.id
+  cidr_block   = "172.16.0.0/24"
+  zone_id      = "cn-beijing-h"
+  vswitch_name = "huocorp_terraform_goat_vswitch"
+  depends_on = [
+    alicloud_vpc.vpc
+  ]
+}
+
+// kubekey安装k8s集群，配置要求至少 2核4g
+data "alicloud_instance_types" "types_ds" {
+  cpu_core_count = 2
+  memory_size    = 4
+}

kubernetes/apiserver/unauth/main.tf

@@ -0,0 +1,4 @@
+output "apiserver_unauth_lab_address_link" {
+  value       = "http://${alicloud_instance.instance.public_ip}:8443"
+  description = "apiserver un-auth lab address link."
+}