A Kubernetes controller to introduce misconfigurations for Security Chaos Engineering
APACHE-2.0 License
This controller introduces misconfiguration into Kubernetes deployments to test how well your security tooling and processes respond to misconfiguration.
Philosophy Usually, we are waiting around until misconfiguration are introduced into our environments by accident. By using this Misconfiguration Operator, we can intentionally test misconfiguration. If we test intentionally, we already know
This allows us to build a response pipeline in theory, which is then tested in practice. Resulting, we can then analyse whether the real response matches our expected response and
To use the Operator, follow these steps.
Prerequisites:
Install the Operator:
git clone https://github.com/AnaisUrlichs/security-controller
make install
Note that this will use the controller image specified in the Makefile.
Create a Custom Resource
The Custom Resources is required to define what changes the Operator should take on your deployments. The template looks as follows:
apiVersion: api.core.anaisurl.com/v1alpha1
kind: Configuration
metadata:
name: configuration-sample
spec:
containerPort: 60
imageTag: "latest"
limits: 400
readOnlyRootFilesystem: false
requests: 300
runAsNonRoot: false
memoryrequests: 80
memorylimits: 130
Modify the template based on the changes that you would like the Operator to make on your deployments.
Next, apply the Custom Resource to your cluster
kubectl apply -f custom-resource.yaml
Set your Deployemnts
Deployments will only be changed by the Operator if the following annotation is set in the deployment.yaml manifest:
metadata:
annotations:
anaisurl.com/misconfiguration: "true"
The deployment will be changed by the operator once per day for as long as it is running inside the Kubernetes cluster and the deployment has the annotation.
Otherwise, the reconcilation loop will run if either of the following is true:
To delete the CRDs from the cluster:
make uninstall
UnDeploy the controller from the cluster:
make undeploy
Once the Kubernetes Operator is installed inside the Kubernetes cluster, it will go through the following steps:
At this stage, I do not accept any contributions to this project as this is created as part of my Bachelor Thesis.
This project aims to follow the Kubernetes Operator pattern.
It uses Controllers, which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
make deploy
make run
NOTE: You can also run this in one step by running: make install run
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifests
NOTE: Run make --help
for more information on all potential make
targets
More information can be found via the Kubebuilder Documentation
IMG
:make docker-buildx
Copyright 2023 AnaisUrlichs.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.