Add 2020 - March challenge

Author: mrbobbytables

README.md

@@ -5,4 +5,5 @@ When you want to be a goose and want a Kubernetes cluster for a garden.
 This will be where the previous challenge's challenge-specific data resides. In the future we will also post all run commands, output, and results.
 
 ## Previous Challenges
-[2019-12-20 - Holiday Beta NA](./challenges/2019-12-20/)
+[2019-December - Holiday Beta NA](./challenges/2019-december/)
+[2020-March](./challenges/2020-march)

challenges/2020-march/README.md

@@ -0,0 +1,41 @@
+# A Honking Good Time
+
+Save the bell, save the world.
+
+## Results
+
+In order of who completed the challenge:
+
+1. [Ian Coldwater], [Brad Geesaman], and [Duffie Cooley]
+2. [Anthony Weems]
+
+## Setup
+
+The cluster is a vanilla instance of [kind] (v0.7.0) with some very strict RBAC
+rules and Pod Security Policies configured for several accounts and namespaces.
+You start as the "goose" in the "garden" namespace and must enumerate your
+environment and discover the challenge itself. It does **NOT** require
+exploiting the host in any way. It is 100% achievable through Kubernetes.
+
+
+To replicate the setup execute the following from this directory:
+1. `kind create cluster --config=kind-config.yaml --name honkctl`
+2. `kubectl apply -f manifests/01`
+3. `kubectl apply -f manifests/02`
+4. `kubectl apply -f manifests/03`
+5. `./goose.sh`
+
+
+## Solution
+
+The solution and greater explanation can be found in [solution.md].
+
+Trying not to spoil the fun if folks want to give it a go :)
+
+
+[kind]: https://kind.sigs.k8s.io
+[solution.md]: solution.md
+[Ian Coldwater]: https://twitter.com/IanColdwater
+[Brad Geesaman]: https://twitter.com/bradgeesaman
+[Duffie Cooley]: https://twitter.com/mauilion
+[Anthony Weems]: https://twitter.com/amlweems

challenges/2020-march/goose.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -e
+set -o pipefail
+
+# Thanks to innovia
+# https://gist.github.com/innovia/fbba8259042f71db98ea8d4ad19bd708
+
+SERVICE_ACCOUNT_NAME=goose
+NAMESPACE="garden"
+KUBECFG_FILE_NAME="/tmp/kube/k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
+TARGET_FOLDER="/tmp/kube"
+
+create_target_folder() {
+    echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..."
+    mkdir -p "${TARGET_FOLDER}"
+    printf "done"
+}
+
+create_service_account() {
+    echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}"
+    kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}"
+}
+
+get_secret_name_from_service_account() {
+    echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
+    SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name)
+    echo "Secret name: ${SECRET_NAME}"
+}
+
+extract_ca_crt_from_secret() {
+    echo -e -n "\\nExtracting ca.crt from secret..."
+    kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \
+    -r '.data["ca.crt"]' | base64 -d > "${TARGET_FOLDER}/ca.crt"
+    printf "done"
+}
+
+get_user_token_from_secret() {
+    echo -e -n "\\nGetting user token from secret..."
+    USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -d)
+    printf "done"
+}
+
+set_kube_config_values() {
+    context=$(kubectl config current-context)
+    echo -e "\\nSetting current context to: $context"
+
+    CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
+    echo "Cluster name: ${CLUSTER_NAME}"
+
+    ENDPOINT=$(kubectl config view \
+    -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
+    echo "Endpoint: ${ENDPOINT}"
+
+    # Set up the config
+    echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
+    echo -n "Setting a cluster entry in kubeconfig..."
+    kubectl config set-cluster "${CLUSTER_NAME}" \
+    --server="${ENDPOINT}" \
+    --certificate-authority="${TARGET_FOLDER}/ca.crt" \
+    --embed-certs=true
+
+    echo -n "Setting token credentials entry in kubeconfig..."
+    kubectl config set-credentials \
+    "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
+    --token="${USER_TOKEN}"
+
+    echo -n "Setting a context entry in kubeconfig..."
+    kubectl config set-context \
+    "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
+    --cluster="${CLUSTER_NAME}" \
+    --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
+    --namespace="${NAMESPACE}"
+
+    echo -n "Setting the current-context in the kubeconfig file..."
+    kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}"
+}
+
+create_target_folder
+get_secret_name_from_service_account
+extract_ca_crt_from_secret
+get_user_token_from_secret
+set_kube_config_values

challenges/2020-march/kind-config.yaml

@@ -0,0 +1,10 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+kubeadmConfigPatches:
+- |
+  kind: ClusterConfiguration
+  metadata:
+    name: config
+  apiServer:
+    extraArgs:
+      enable-admission-plugins: NodeRestriction,PodSecurityPolicy

challenges/2020-march/manifests/01/01-default.psp.yaml

@@ -0,0 +1,64 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+  name: default
+spec:
+  defaultAddCapabilities:
+  - AUDIT_WRITE # OCI Spec default
+  - NET_BIND_SERVICE # OCI Spec default
+  - KILL # OCI Spec default
+  - CHOWN # needed for nginx
+  - SETUID # needed for nginx
+  - SETGID # needed for nginx
+  requiredDropCapabilities:
+  - ALL
+  allowPrivilegeEscalation: false
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  volumes:
+  - 'configMap'
+  - 'downwardAPI'
+  - 'emptyDir'
+  - 'persistentVolumeClaim'
+  - 'projected'
+  - 'secret'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp-default
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - default
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: psp-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp-default
+subjects:
+- kind: Group
+  name: system:authenticated

challenges/2020-march/manifests/01/02-privileged.psp.yaml

@@ -0,0 +1,59 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  name: privileged
+spec:
+  allowedCapabilities:
+  - '*'
+  allowPrivilegeEscalation: true
+  fsGroup:
+    rule: 'RunAsAny'
+  hostIPC: true
+  hostNetwork: true
+  hostPID: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  privileged: true
+  readOnlyRootFilesystem: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  volumes:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp-privileged
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - privileged
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: psp-privileged
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp-privileged
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:nodes
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts:kube-system

challenges/2020-march/manifests/02/00-namespaces.yaml

@@ -0,0 +1,24 @@
+# ALL the namespaces are created first to prevent clashing when resolving cross
+# namespace references in [cluster]roles.
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: home
+  labels:
+    location: etc-kubernetes-manifests
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: garden
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pub
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: model-village

challenges/2020-march/manifests/02/00-todo.crd.yaml

@@ -0,0 +1,87 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: todos.honk.ci
+spec:
+  group: honk.ci
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                hint:
+                  type: string
+                todo:
+                  type: string
+              required:
+              - todo
+      additionalPrinterColumns:
+      - name: Todo
+        type: string
+        description: "An important task"
+        jsonPath: ".spec.todo"
+  scope: Cluster
+  names:
+    plural: todos
+    singular: todo
+    kind: Todo
+    shortNames:
+    - td
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: todo-view-crd
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["honk.ci"]
+  resources: ["todos"]
+  verbs: ["get", "list", "watch"]
+---
+# Allow EVERYONE to view todo items
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: authenticated-view-todo-crd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: todo-view-crd
+subjects:
+- kind: Group
+  name: system:authenticated
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: authenticated-view-cluster-crds
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch"]
+---
+# Allow EVERYONE to view cluster level CRDs so that they may find todos
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: authenticated-view-cluster-crd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: authenticated-view-cluster-crds
+subjects:
+- kind: Group
+  name: system:authenticated