COMP5710 Workshop 3 Workshop Name: Resilient Automated Configuration Management Solution

Description
Use an existing tool to find security misconfigurations in Kubernetes configuration files
Targeted Courses
Software Quality Assurance
Activities
Pre-lab Content Dissemination
In this workshop we will use a tool called SLI-KUBE to find security misconfigurations. According to U.S. National Institute of Standards and Technology, (NIST)[https://www.nist.gov/], a security misconfiguration is a setting within a computer program that violates a configuration policy or that permits unintended behavior that impacts the security posture of a system. The goal of this workshop to understand how can we use a tool to identify security misconfigurations in Kubernetes manifests.
In-class Hands-on Experience
Go to announcements on CANVAS. See the announcement on Workshop 3
Install Docker on your computer
Run the following instructions one at a time to run the tool:
docker rm $(docker ps -a -f status=exited -f status=created -q) docker rmi -f $(docker images -a -q) docker pull akondrahman/sli-kube docker images -a docker run --rm -it akondrahman/sli-kube bash cd SLI-KUBE-WORK/KubeSec-master/
python3 main.py or python main.py
Locate the output file generated by the tool
The output file is a CSV file that has multiple columns. The first two columns correspond to the directory and the path of a Kubernetes configuration file. The rest corresponds to the count of instances for a specific category. We will use this count to determine the most three frequent ones. The Total column corresponds to the total instances of misconfigurations for a configuration file. Recording of this hands-on experience is available on CANVAS
Assignment 3 (Post Lab Experience)
Run the tool for all Kubernetes manifests zipped in workshop3.zip
First, copy the zip file to the container with docker cp
Second, extract the zip file with unzip
Third, change main.py so that the extracted folder gets scanned with SLI-KUBE.
Fourth, run python3 main.py or python main.py
Fifth, cop the generated output file to your own computer/machine using docker cp
Report the three most frequent security misconfigurations as determined by SLI-KUBE. Your report should include a 2 sentence description. Use Section-2.3 from workshop3-paper.pdf.
If you get NO_NETWORK_POLICY then you can use the following text: The misconfiguration category that is related with not specifying network policies. Without specifying network policies Kubernetes installations are susceptible to unauthorized accesses.
If you get NO_ROLLING_UPDATE then you can use the following text: The misconfiguration category that is related with not explicitly specifying RollingUpdate in the configuration file. A lack of rolling updates makes a Kubernetes installation susceptible to supply chain related attacks.