Skip to content

Comprehensive workshop refresh: infra, content, and tooling update#38

Open
aussinfosec wants to merge 1 commit intolockfale:mainfrom
aussinfosec:workshop-2026-refresh
Open

Comprehensive workshop refresh: infra, content, and tooling update#38
aussinfosec wants to merge 1 commit intolockfale:mainfrom
aussinfosec:workshop-2026-refresh

Conversation

@aussinfosec
Copy link
Collaborator

@aussinfosec aussinfosec commented Mar 14, 2026

Summary

  • Restructure: Archive all 6 conference-specific directories into archived/, create conference-agnostic current/ as single source of truth
  • Infrastructure version bumps: K8s v1.27→v1.31, kind v0.20→v0.27, Helm v3.12→v3.16, add cosign/crane/syft/grype, replace nixery.dev images, pin all image tags
  • Helm/observability migration: Loki distributed→monolithic, Tracee 0.19→0.24, add Falco (with Falcosidekick), add Cilium Tetragon
  • 3 new lab modules: Supply chain security (Module 8), modern runtime security comparison (Module 9), cloud-native/IMDS attacks (Module 10)
  • Documentation sweep: Update all version refs, requestbin→Pipedream, add AWS/Azure alternatives, add setup verification script

Changes by area

Infrastructure (lab-ansible-setup.yml, k8s-ansible-setup.yml, kind-lab-config.yaml)

Component Old New
Kubernetes/kubectl v1.27.3 v1.31.4
kind v0.20.0 v0.27.0
Helm v3.12.1 v3.16.4
kindest/node v1.27.3 v1.31.4
Tracee 0.19.0 0.24.0
Loki loki-distributed loki (monolithic)
Falco N/A New (with Falcosidekick + WebUI)
Tetragon N/A New (Cilium eBPF)
cosign N/A v2.4.1
crane N/A v0.20.2
syft N/A v1.18.1
grype N/A v0.85.0

K8s Manifests

  • evilpod.yaml: ubuntu (untagged) → ubuntu:22.04
  • attacker-pod.yaml: nixery.dev/shell/openssl/straceubuntu:22.04 + apt
  • nothingallowedpod.yaml: nixery.dev/shell/curlalpine/curl:8.11.1
  • pods.yaml: tracee-testeraquasec/tracee-tester:latest
  • New: supply-chain-demo.yaml, imds-demo-pod.yaml, network-policy-demo.yaml
  • New namespaces: falco-system, tetragon

New Lab Content (labs_walk_thru.md)

  • Module 8 - Supply Chain Security: Image inspection (crane), SBOM generation (syft), vulnerability scanning (grype), image signing (cosign), tag mutability attacks, malicious image analysis pipeline
  • Module 9 - Modern Runtime Security: Updated Tracee labs, Falco deployment + custom rules + Falcosidekick UI, Tetragon TracingPolicy CRDs (file access + network monitoring), side-by-side tool comparison exercise, unified Grafana/Loki queries
  • Module 10 - Cloud-Native Attacks: IMDS attacks (GCP/AWS IMDSv1+v2/Azure), IMDS blocking via NetworkPolicy, DNS exfiltration from "network-isolated" pods, managed K8s attack surfaces (EKS IRSA, GKE Workload Identity)

Documentation

  • lab-setup.md: Rewritten for Ubuntu 22.04, tool version table, AWS/Azure alternatives, verification step
  • cheatsheet.md: Added supply chain + runtime security tool quick reference, Grafana Loki queries, version table
  • README.md (root + current): Conference-agnostic, updated module list
  • All requestbin.com → Pipedream references
  • New: scripts/verify-setup.sh smoke test script

Test plan

  • Run ansible-playbook lab-ansible-setup.yml on fresh Ubuntu 22.04 GCP e2-standard-2
  • Verify all tool installs via scripts/verify-setup.sh
  • Create kind cluster with kind create cluster --config=kind-lab-config.yaml
  • Run ansible-playbook k8s-ansible-setup.yaml and verify all Helm releases deploy
  • Walk through Modules 1-7 (existing content, updated versions)
  • Walk through Module 8 (supply chain: cosign, crane, syft, grype)
  • Walk through Module 9 (runtime security: Tracee, Falco, Tetragon comparison)
  • Walk through Module 10 (cloud-native: IMDS, DNS exfil, network policy)
  • Verify Grafana/Loki integration with all three runtime security tools
  • Verify all container image pulls succeed

🤖 Generated with Claude Code

@aussinfosec @claude
Comprehensive workshop refresh: infra, content, and tooling update
3355b77 
Archive all 6 conference-specific directories and create a new
conference-agnostic current/ directory as the single source of truth.

Infrastructure:
- Bump K8s v1.27.3 -> v1.31.4, kind v0.20.0 -> v0.27.0, Helm v3.12.1 -> v3.16.4
- Migrate Loki from deprecated loki-distributed to monolithic mode
- Update Tracee 0.19.0 -> 0.24.0
- Add Falco (with Falcosidekick) and Cilium Tetragon for runtime security
- Add cosign, crane, syft, grype for supply chain security labs
- Remove deprecated charts.helm.sh/stable Helm repo
- Replace unreliable nixery.dev images with ubuntu:22.04 and alpine/curl
- Pin all container image tags explicitly

New content modules:
- Module 8: Supply chain security (cosign, crane, syft, grype, tag mutability)
- Module 9: Modern runtime security (Tracee vs Falco vs Tetragon comparison)
- Module 10: Cloud-native attacks (IMDS, DNS exfil, network policy bypass)

Documentation:
- Make all docs conference-agnostic
- Update requestbin references to Pipedream
- Add AWS/Azure VM alternatives to lab setup
- Add verification script (scripts/verify-setup.sh)
- Expand cheatsheet with supply chain and runtime security tool references

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aussinfosec