forked from kuhnskc/shellshock-container-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdemo-client.yaml
More file actions
168 lines (150 loc) · 5.56 KB
/
Copy pathdemo-client.yaml
File metadata and controls
168 lines (150 loc) · 5.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-client
labels:
app.kubernetes.io/name: demo-client
app.kubernetes.io/part-of: crowdstrike-demo
app.kubernetes.io/created-by: crowdstrike
spec:
selector:
matchLabels:
run: demo-client
replicas: 1
template:
metadata:
labels:
run: demo-client
app.kubernetes.io/name: demo-client
app.kubernetes.io/part-of: crowdstrike-demo
app.kubernetes.io/created-by: crowdstrike
spec:
securityContext:
runAsUser: 0
hostPID: true
containers:
- name: demo-client
image: ubuntu:22.04
imagePullPolicy: Always
securityContext:
privileged: true
env:
- name: DEBIAN_FRONTEND
value: "noninteractive"
command: ["/bin/bash"]
args:
- "-c"
- |
# Logging function for startup tracking
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') [STARTUP] $1"
}
log "Starting demo-client container initialization..."
# Step 1: Install basic system tools with error handling
log "Installing basic system tools..."
if ! apt-get update -qq; then
log "ERROR: Failed to update package list"
exit 1
fi
if ! apt-get install -y python3 curl wget netcat-traditional unzip -qq; then
log "ERROR: Failed to install basic tools"
exit 1
fi
log "Basic tools installed successfully"
# Step 2: Download and install AWS CLI with validation
log "Downloading AWS CLI v2..."
if ! curl -s https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o /tmp/awscliv2.zip; then
log "ERROR: Failed to download AWS CLI"
exit 1
fi
cd /tmp
log "Extracting AWS CLI..."
if ! unzip -q awscliv2.zip; then
log "ERROR: Failed to extract AWS CLI"
exit 1
fi
log "Installing AWS CLI..."
if ! ./aws/install --update; then
log "ERROR: Failed to install AWS CLI"
exit 1
fi
# Cleanup installation files
rm -rf aws awscliv2.zip
log "AWS CLI installation completed"
# Step 3: Verify AWS CLI installation and configure environment
export AWS_PAGER=""
export PATH=/usr/local/bin:$PATH
if ! which aws > /dev/null 2>&1; then
log "ERROR: AWS CLI not found in PATH after installation"
exit 1
fi
AWS_VERSION=$(aws --version 2>&1)
log "AWS CLI verified: $AWS_VERSION"
# Step 4: Test AWS credentials and IMDS access
log "Testing AWS credential access via IMDS..."
if curl -s --connect-timeout 5 http://169.254.169.254/latest/meta-data/iam/security-credentials/ > /tmp/imds_test; then
if [ -s /tmp/imds_test ]; then
ROLE_NAME=$(cat /tmp/imds_test)
log "IMDS access successful, IAM role available: $ROLE_NAME"
# Test actual AWS API call
if timeout 10 aws sts get-caller-identity > /tmp/aws_test 2>&1; then
CALLER_ID=$(cat /tmp/aws_test | grep -o '"UserId":"[^"]*"' | cut -d'"' -f4)
log "AWS API test successful, caller identity: $CALLER_ID"
else
log "WARNING: AWS API call failed, but CLI is installed"
cat /tmp/aws_test
fi
else
log "WARNING: IMDS accessible but no IAM role found"
fi
else
log "WARNING: IMDS not accessible, AWS commands may fail"
fi
rm -f /tmp/imds_test /tmp/aws_test
# Step 5: Set up demo connection scripts from ConfigMap
log "Setting up demo connection scripts..."
mkdir -p /app/demo-scripts
if ! cp /scripts/connect-demo.py /app/demo-scripts/; then
log "ERROR: Failed to copy connect-demo.py"
exit 1
fi
if ! cp /scripts/connect-demo.sh /app/demo-scripts/; then
log "ERROR: Failed to copy connect-demo.sh"
exit 1
fi
chmod +x /app/demo-scripts/*
log "Demo connection scripts configured successfully"
# Step 6: Final setup and container ready signal
cd /app
log "Container initialization completed successfully!"
log "Ready for CrowdStrike demo execution"
log "AWS CLI: $(which aws)"
log "Demo scripts: $(ls -la /app/demo-scripts/)"
# Keep container alive
tail -f /dev/null
volumeMounts:
- name: demo-attack-scripts
mountPath: /scripts
volumes:
- name: demo-attack-scripts
configMap:
name: demo-attack-scripts
defaultMode: 0755
---
apiVersion: v1
kind: Service
metadata:
name: demo-client
labels:
app.kubernetes.io/name: demo-client
app.kubernetes.io/part-of: crowdstrike-demo
app.kubernetes.io/created-by: crowdstrike
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
run: demo-client