Merge pull request #652 from OWASP/feat-646-kubernetes1.25

Feat 646 kubernetes1.25

.github/workflows/minikube-k8s-test.yml

@@ -21,11 +21,12 @@ jobs:
       - name: Start minikube
         uses: medyagh/setup-minikube@master
         with:
-          minikube-version: 1.28.0
+          minikube-version: 1.29.0
           driver: docker
-          kubernetes-version: v1.23.12
+          kubernetes-version: v1.25.6
       - name: test script
         run: |
+          kubectl apply -f k8s/workspace-psa.yml
           kubectl apply -f k8s/secrets-config.yml
           kubectl apply -f k8s/secrets-secret.yml
           kubectl apply -f k8s/secret-challenge-deployment.yml

.github/workflows/minikube-vault-test.yml

@@ -22,9 +22,9 @@ jobs:
       - name: Start minikube
         uses: medyagh/setup-minikube@master
         with:
-          minikube-version: 1.28.0
+          minikube-version: 1.29.0
           driver: docker
-          kubernetes-version: v1.23.12
+          kubernetes-version: v1.25.6
       - name: Setup helm
         uses: azure/[email protected]
         id: install

.gitignore

@@ -25,7 +25,7 @@
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
 
-.DS_STORE
+.DS_Store
 target
 
 .vscode
@@ -43,8 +43,7 @@ root_token
 # Terraform
 kubeconfig_wrongsecrets-exercise-cluster
 .terraform
-.terraform.lock.hcl
-.terraform*
+.terraform
 terraform.tfstate*
 aws/terraform.tfstate.*
 aws/terraform.tfstate.backup
@@ -66,6 +65,8 @@ azure/k8s/pod-id.yml
 # Challenge 17
 .github/scripts/thirdkey.txt
 
+yourkey.txt
+
 # Node JS
 js/node/
 js/node_modules/

README.md

@@ -348,16 +348,16 @@ For development on local machine use the `local` profile `./mvnw spring-boot:run
 If you want to test against vault without K8s: start vault locally with
 
 ```shell
- export VAULT_ADDR='http://127.0.0.1:8200'
+ export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
  export VAULT_API_ADDR='http://127.0.0.1:8200'
  vault server -dev
 ```
 
 and in your next terminal, do (with the token from the previous commands):
 
 ```shell
-export VAULT_ADDR='http://127.0.0.1:8200'
-export VAULT_TOKEN='<TOKENHERE>'
+export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
+export SPRING_CLOUD_VAULT_TOKEN='<TOKENHERE>'
 vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
 vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
 ```

aws/README.md

@@ -111,9 +111,9 @@ The documentation below is auto-generated to give insight on what's created via
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.56.0 |
-| <a name="provider_http"></a> [http](#provider\_http) | ~> 3.2.1 |
-| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.56.0 |
+| <a name="provider_http"></a> [http](#provider\_http) | 3.2.1 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
 
@@ -154,7 +154,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.25"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 
 ## Outputs

aws/k8s-vault-aws-start.sh

@@ -12,6 +12,9 @@ AWS_REGION="eu-west-1"
 echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, jq, vault, grep, cat, sed, and awscli, and is only tested on mac, Debian and Ubuntu"
 echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"
 
+echo "Setting up workspace PSA to restricted for default"
+kubectl apply -f ../k8s/workspace-psa.yml
+
 kubectl get configmaps | grep 'secrets-file' &>/dev/null
 if [ $? == 0 ]; then
   echo "secrets config is already installed"

aws/k8s/secret-challenge-vault-deployment.yml

@@ -28,10 +28,12 @@ spec:
         runAsUser: 2000
         runAsGroup: 2000
         fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: vault
       volumes:
-        - name: 'ephemeral'
-          emptyDir: { }
+        - name: "ephemeral"
+          emptyDir: {}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
@@ -46,34 +48,39 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           ports:
             - containerPort: 8080
               protocol: TCP
           readinessProbe:
             httpGet:
-              path: '/actuator/health/readiness'
+              path: "/actuator/health/readiness"
               port: 8080
             initialDelaySeconds: 30
             timeoutSeconds: 5
             periodSeconds: 5
             failureThreshold: 8
           livenessProbe:
             httpGet:
-              path: '/actuator/health/liveness'
+              path: "/actuator/health/liveness"
               port: 8080
             initialDelaySeconds: 35
             timeoutSeconds: 30
             periodSeconds: 40
             failureThreshold: 5
           resources:
             requests:
-              memory: '512Mi'
-              cpu: '200m'
-              ephemeral-storage: '1Gi'
+              memory: "512Mi"
+              cpu: "200m"
+              ephemeral-storage: "1Gi"
             limits:
-              memory: '512Mi'
-              cpu: '1200m'
-              ephemeral-storage: '2Gi'
+              memory: "512Mi"
+              cpu: "1200m"
+              ephemeral-storage: "2Gi"
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           env:
@@ -89,16 +96,16 @@ spec:
                 secretKeyRef:
                   name: funnystuff
                   key: funnier
-            - name: VAULT_ADDR
-              value: "http://vault:8200"
+            - name: SPRING_CLOUD_VAULT_URI
+              value: "http://vault.vault.svc.cluster.local:8200"
             - name: JWT_PATH
               value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
           volumeMounts:
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
               readOnly: true
-            - name: 'ephemeral'
-              mountPath: '/tmp'
+            - name: "ephemeral"
+              mountPath: "/tmp"
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler

aws/terraform.tfvars

@@ -1,2 +1,2 @@
-cluster_version = "1.23"
-region          = "eu-west-1"
+# Edit this if you want a different region, e.g., us-east-1
+# region          = "eu-west-1"

aws/variables.tf

@@ -7,7 +7,7 @@ variable "region" {
 variable "cluster_version" {
   description = "The EKS cluster version to use"
   type        = string
-  default     = "1.23"
+  default     = "1.25"
 }
 
 variable "cluster_name" {