Add patch method for ensuring docker-desktop does not service accounts with full admin access
This commit is contained in:
parent
ba68e6baaf
commit
ad122e94bd
|
@ -1,9 +1,14 @@
|
|||
.POSIX:
|
||||
.PHONY: install thinkphp forward-thinkphp lucee forward-lucee dashboard forward-dashboard admin-token service-token secrets secret-files help
|
||||
.PHONY: install thinkphp forward-thinkphp lucee forward-lucee dashboard forward-dashboard admin-token service-token secrets secret-files patch-docker-desktop-admin-service-accounts help
|
||||
.DEFAULT_GOAL: help
|
||||
|
||||
default: help
|
||||
RED := $(shell tput -Txterm setaf 1)
|
||||
RESET := $(shell tput -Txterm sgr0)
|
||||
|
||||
# Detect if docker-desktop is defaulting service accounts to have full admin cluster privileges by default
|
||||
# https://github.com/docker/for-mac/issues/4774#issuecomment-6622851890
|
||||
HAS_CLUSTER_ADMIN_SERVICE_ACCOUNT=$(shell kubectl get clusterrolebinding docker-for-desktop-binding -o yaml 2>/dev/null | grep -c 'name: system:serviceaccounts$$')
|
||||
|
||||
default: help
|
||||
install: secret-files thinkphp lucee secrets dashboard ##@install Install all charts
|
||||
|
||||
thinkphp: ##@install Install vulnerable thinkphp application with full cluster access
|
||||
|
@ -11,6 +16,9 @@ thinkphp: ##@install Install vulnerable thinkphp application with full cluster a
|
|||
|
||||
lucee: ##@install Install vulnerable lucee application with minimal cluster access
|
||||
helm upgrade --install lucee ./lucee
|
||||
ifeq ($(HAS_CLUSTER_ADMIN_SERVICE_ACCOUNT),1)
|
||||
@echo "${RED}[!] docker-desktop detected. Additionally run 'make patch-docker-desktop-admin-service-accounts' to ensure lucee does not have full cluster access by default${RESET}" 2>&2
|
||||
endif
|
||||
|
||||
dashboard: ##@install Install the Kubernetes dashboard
|
||||
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
|
||||
|
@ -36,7 +44,11 @@ admin-token: ##@tokens Create an admin token which will have full access to the
|
|||
service-token: ##@tokens Create a Kubernetes service token for the default service account
|
||||
echo $$(kubectl get secret -n default $$(kubectl -n default get serviceaccount default -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 -d)
|
||||
|
||||
# Forward a running pod on the given port
|
||||
patch-docker-desktop-admin-service-accounts: ##@miscellaneous Patch service accounts to not have full cluster access by default on docker-desktop - https://github.com/docker/for-mac/issues/4774
|
||||
# https://github.com/docker/for-mac/issues/4774#issuecomment-6622851890
|
||||
kubectl patch clusterrolebinding docker-for-desktop-binding --type=json --patch $$'[{"op":"replace", "path":"/subjects/0/name", "value":"system:serviceaccounts:kube-system"}]'
|
||||
|
||||
# forward a running pod on the given port
|
||||
# ${1}=podname
|
||||
# ${2}=port
|
||||
define forward
|
||||
|
|
|
@ -34,7 +34,7 @@ Next install the vulnerable charts and configuration:
|
|||
make install
|
||||
```
|
||||
|
||||
If you are on a Mac environment, you can optionally you you can use the `docker-compose` setup:
|
||||
If you are on a Mac environment, you can optionally use the `docker-compose` setup:
|
||||
|
||||
```
|
||||
docker-compose run setup
|
||||
|
|
|
@ -19,19 +19,17 @@ nameOverride: ""
|
|||
fullnameOverride: ""
|
||||
|
||||
serviceAccount:
|
||||
create: false
|
||||
create: true
|
||||
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
# Intentionally specify an invalid service account name for Mac users, to ensure there's no privileges:
|
||||
# https://github.com/docker/for-mac/issues/4774
|
||||
name: "invalid"
|
||||
name: ""
|
||||
|
||||
privileges:
|
||||
# Override the default cluster role (useServiceAccount must be true for this setting to be effective)
|
||||
bindClusterRoleOverride: "" # Alternatively lucee-all-access or lucee-no-access
|
||||
bindClusterRoleOverride: "lucee-no-access" # Alternatively lucee-all-access
|
||||
|
||||
#
|
||||
# Privileges related to node hosting metasploit Pod
|
||||
|
|
Loading…
Reference in New Issue