Skip to content
This repository has been archived by the owner on Aug 7, 2024. It is now read-only.

Commit

Permalink
C-001 solution (#848)
Browse files Browse the repository at this point in the history
* get docker for mac working

change ingresses namespace

change get_game_url_base_path

use docker for desktop ip

* begun creation of roles

* C-001 fixed

Attempted to replicate the security flaw C-001 as per the test report after implementing RBAC. The console shows a 503 upon attempting to replicate the issue, the user's consoles shows a 111 (connection refused). This leads to the conclusion the the issue has been resolved, however further testing may be needed.

* Moved role/account yamls to their own folder

Put them all in an rbac folder to keep the in one easy to find place

* Added a comment to describe the process

added a string to describe how to set up docker-desktop with extensions, and make use of RBAC. These steps may need to be automated, or included in the setup process. Minor issues still exist however.

* added reference to source of information

just so other's can find it easily if needed.

* Update worker account

* updated game_creator_role and minor changes

moved the game creator to the nginx namespace and updated it's role to reflect this, the ClusterRoleBinding gives the permissions of the game creator's permissions scope of the whole cluster (hence why it was moved out of reach of the worker pods, just incase there is a way for workers to gain access outside of their pod)

* Fixed game creator rc yaml not applying role binding

* change role binding namespace

* updated version

* Delete nginx-ingress folder

* Revert "get docker for mac working"

This reverts commit 017620a.

# Conflicts:
#	aimmo_runner/minikube.py

* Automate applying the accounts and roles

* fix travis build fail attempt

* Testing build fail

* More travis build tests

* travis build fix attempt++

* Update travis kubernetes version

* change kubernetes to ealier patch version

Kubernetes needs to be version 1.9.4 not 1.9.6

* Tests

* various changes

* Merge branch 'development' into c-001

* Resolve merge conflicts

* Merge remote-tracking branch 'origin/c-001' into c-001

* Fix issues created from merge conflicts

* Replacing versioner in setup.py

* minor change

* change to restart code climate

* pep8
  • Loading branch information
TheseusGrey authored Oct 15, 2018
1 parent 0898dfd commit 726f7dd
Show file tree
Hide file tree
Showing 10 changed files with 1,288 additions and 5 deletions.
4 changes: 2 additions & 2 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ jobs:
- NODE_ENV=production
before_script:
# Download kubectl, which is a requirement for using minikube.
- curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/
- curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.9.4/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/
# Download minikube.
- curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.25.2/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
- sudo minikube start --vm-driver=none --kubernetes-version=v1.7.0
- sudo minikube start --vm-driver=none --kubernetes-version=v1.9.4
# Fix the kubectl context, as it's often stale.
- minikube update-context
# Wait for Kubernetes to be up and ready.
Expand Down
2 changes: 1 addition & 1 deletion aimmo-game-creator/game_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ def _make_rc(self, environment_variables, game_id):
drop=['all'],
add=['NET_BIND_SERVICE'])))

pod_manifest = kubernetes.client.V1PodSpec(containers=[container])
pod_manifest = kubernetes.client.V1PodSpec(containers=[container], service_account_name='worker-manager')
pod_metadata = kubernetes.client.V1ObjectMeta(labels={'app': 'aimmo-game', 'game_id': game_id})
pod_template_manifest = kubernetes.client.V1PodTemplateSpec(spec=pod_manifest, metadata=pod_metadata)

Expand Down
1 change: 1 addition & 0 deletions aimmo-game-creator/rc-aimmo-game-creator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ spec:
# The api server enforces this constraint.
app: aimmo-game-creator
spec:
serviceAccountName: game-creator
containers:
- name: aimmo-game-creator
image: ocadotechnology/aimmo-game-creator:latest
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ def _make_container(self, player_id):
)

def make_pod(self, player_id):
pod_manifest = kubernetes.client.V1PodSpec(containers=[self._make_container(player_id)])
pod_manifest = kubernetes.client.V1PodSpec(containers=[self._make_container(player_id)], service_account_name='worker')
metadata = kubernetes.client.V1ObjectMeta(
labels={
'app': 'aimmo-game-worker',
Expand Down
9 changes: 9 additions & 0 deletions aimmo_runner/minikube.py
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,14 @@ def restart_pods(game_creator_yaml, ingress_yaml):
)


def create_roles():
"""
Applies the service accounts, roles, and bindings for restricting
the rights of certain pods and their processses.
"""
run_command(['kubectl', 'apply', '-Rf', 'rbac'])


def start():
"""
The entry point to the minikube class. Sends calls appropriately to set
Expand All @@ -187,6 +195,7 @@ def start():
create_test_bin()
os.environ['MINIKUBE_PATH'] = MINIKUBE_EXECUTABLE
start_cluster(MINIKUBE_EXECUTABLE)
create_roles()
build_docker_images(MINIKUBE_EXECUTABLE)
restart_ingress_addon(MINIKUBE_EXECUTABLE)
ingress = create_ingress_yaml()
Expand Down
Loading

0 comments on commit 726f7dd

Please sign in to comment.