Build killer simulator environment for CKA

Jovoris_Fu · February 5, 2024, 9:05am

My attempts with killer simulator for CKA have expired, i’m using a home lab of CKA to keep practicing. i could play with majority of questions except Question 24 as it’s specific to the killer environment.

Requirements of question 24:
There was a security incident where an intruder was able to access the whole cluster from a single hacked backend Pod .

To prevent this create a NetworkPolicy called np-backend in Namespace project-snake . It should allow the backend-* Pods only to:

connect to db1-* Pods on port 1111
connect to db2-* Pods on port 2222

Use the app label of Pods in your policy.

After implementation, connections from backend-* Pods to vault-* Pods on port 3333 should for example no longer work.

Important: Don’t delete any current objects deployed.

I wanted to build similar environments like killer simulator:
➜ k -n project-snake get pod -o wide
NAME READY STATUS RESTARTS AGE IP …
backend-0 1/1 Running 0 4m14s 10.44.0.24 …
db1-0 1/1 Running 0 4m14s 10.44.0.25 …
db2-0 1/1 Running 0 4m16s 10.44.0.23 …
vault-0 1/1 Running 0 4m16s 10.44.0.22 …

➜ k -n project-snake exec backend-0 – curl -s 10.44.0.25:1111
database one

➜ k -n project-snake exec backend-0 – curl -s 10.44.0.23:2222
database two

➜ k -n project-snake exec backend-0 – curl -s 10.44.0.22:3333
vault secret storage

My question is how to provision a docker container that listens at port 1111/2222/3333 and returns the messages above when doing curl

Alistair_KodeKloud · February 5, 2024, 1:31pm

This is how you build a simple server to serve content like that.
You will have to do the following for each of the 3 pods:

For db-1

A configmap with the commands to run a simple server in shell script. Note the port number to listen on is at the end of the long line here:

apiVersion: v1
kind: ConfigMap
metadata:
  name: db1-configmap
data:
  entrypoint.sh: |
    #!/bin/sh
    echo "database one" > index.htm
    while true
    do
        { echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c <index.htm)\r\n\r\n"; cat index.htm; } | nc -l -p 1111
    done

A pod that mounts the configmap and runs the server script. You need to add
any labels required.

apiVersion: v1
kind: Pod
metadata:
  name: db-1
spec:
  containers:
  - name: server
    image: alpine:3.19
    command:
    - /opt/server/entrypoint.sh
    volumeMounts:
    - name: script
      mountPath: /opt/server
  volumes:
  - name: script
    configMap:
      name: db1-configmap
      defaultMode: 0755

Do kubectl get pods -o wide to get the ip addresses.

And here’s a test of the above

$ kubectl run tester --image wbitt/network-multitool
pod/tester created

$ kubectl get pods -o wide
NAME     READY   STATUS    RESTARTS   AGE   IP          NODE            NOMINATED NODE   READINESS GATES
db-1     1/1     Running   0          64s   10.36.0.2   fc-k8sworker2   <none>           <none>
tester   1/1     Running   0          28s   10.36.0.3   fc-k8sworker2   <none>           <none>

$ kubectl exec -it tester -- curl 10.36.0.2:1111
database one

rob_kodekloud · February 5, 2024, 4:18pm

@Jovoris_Fu If you feel the need for more killer.sh time, you can also purchase an additional session from the KillerCoda people. It’s reasonably priced, and if you want a 3rd session, that’s another way to get the practice. As always, it will be the same questions you saw in the first two sessions.

Jovoris_Fu · February 8, 2024, 2:04pm

Thanks a lot, Alistair. it works perfect for me