Skip to content

Commit 223710d

Browse files
nicholasdillenicholasdille
committed
Updates after 20231103
1 parent 03cb725 commit 223710d

File tree

7 files changed

+20
-15
lines changed

7 files changed

+20
-15
lines changed

120_kubernetes/network_policy/slides.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ No audit logging
4444

4545
### No support for network policy
4646

47-
kubenet, [flannel](https://github.com/flannel-io/flannel)
47+
kubenet, [flannel](https://github.com/flannel-io/flannel), [kindnet](https://github.com/aojea/kindnet)
4848

4949
### Calico
5050

120_kubernetes/rbac/rakkess.demo

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# rakkess (access-matrix)
2+
3+
# Install
4+
krew install access-matrix
5+
6+
# Check jane
7+
kubectl access-matrix resource pod --namespace default --as jane

120_kubernetes/rbac/rbac.demo

+4-3
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,9 @@ roleRef:
3333
EOF
3434

3535
# Check Role and RoleBinding
36-
kubectl auth can-i get pods --as jane
36+
kubectl auth can-i get pods --namespace default --as jane
3737
kubectl auth can-i get pods --namespace kube-system --as jane
38+
kubectl auth can-i --namespace default --list --as jane
3839

3940
# Create ClusteRole and ClusterRoleBinding
4041
cat <<EOF | kubectl apply -f -
@@ -88,6 +89,6 @@ roleRef:
8889
EOF
8990

9091
# Check ClusterRole and RoleBinding
91-
kubectl auth can-i get secrets --as jane
92-
kubectl auth can-i get secrets --as dave
92+
kubectl auth can-i get secrets --namespace default --as jane
93+
kubectl auth can-i get secrets --namespace default --as dave
9394
kubectl auth can-i get secrets --namespace kube-system --as dave

120_kubernetes/rbac/rbac.drawio.svg

+3-1
Loading

120_kubernetes/rbac/slides.md

+2
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@ Show mixed permissions
2828

2929
Using `kubectl auth can-i` to check RBAC [](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access)
3030

31+
Demonstrate [rakkess](https://github.com/corneliusweig/rakkess) [<i class="fa fa-comment-code"></i>](https://github.com/nicholasdille/container-slides/blob/master/120_kubernetes/rbac/rakkess.demo "rakkess.demo")
32+
3133
---
3234

3335
## How to write roles

170_supply_chain_security/sbom/sbom.demo

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
# SBoM generation and scanning
22

33
# Install tools
4-
docker-setup --tools=docker,buildx,docker-compose,kind,helm,kubectl,gvisor,cosign,kyverno,syft,grype,trivy install
4+
uniget install docker buildx docker-compose kind helm kubectl gvisor cosign kyverno syft grype trivy
55

66
# Generate SBoM of trivy
7-
syft packages aquasec/trivy:0.34.0 --file trivy.json --output cyclonedx-json
7+
syft packages aquasec/trivy:0.34.0 --output cyclonedx-json=trivy.json
88

99
# Generate SBoM of alpine 3.18
10-
syft packages alpine:3.18 --file alpine-3.18.json --output cyclonedx-json
10+
syft packages alpine:3.18 --output cyclonedx-json=alpine-3.18.json
1111

1212
# Scan trivy.json
1313
grype sbom:trivy.json

2023-11-03_heise-Kubernetes-absichern.md

-7
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,2 @@
1-
- Fix RBAC image
2-
- can-i namespace
3-
- krew, https://github.com/corneliusweig/rakkess
4-
- kubectl auth can-i --list --as jane
51
- automountServiceAccountToken: false
62
- kyverno: fix and note automountServiceAccountToken
7-
- kindnet no netpol
8-
- syft deprecated
9-
- docker-setup

0 commit comments

Comments
 (0)