From a57c55b8f6c995a486ea3161416928beb0ebc5a0 Mon Sep 17 00:00:00 2001 From: Sergey K Date: Sat, 11 Dec 2021 23:36:30 +0300 Subject: [PATCH 1/2] add k8s template with vuln app --- k8s_template/deployment.yaml | 18 ++++++++++++++++++ k8s_template/service.yaml | 15 +++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 k8s_template/deployment.yaml create mode 100644 k8s_template/service.yaml diff --git a/k8s_template/deployment.yaml b/k8s_template/deployment.yaml new file mode 100644 index 0000000..6354a0c --- /dev/null +++ b/k8s_template/deployment.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: log4shell +spec: + replicas: 1 + selector: + matchLabels: + app: log4shell + template: + metadata: + labels: + app: log4shell + spec: + containers: + - name: log4shell + image: ghcr.io/christophetd/log4shell-vulnerable-app + imagePullPolicy: Always diff --git a/k8s_template/service.yaml b/k8s_template/service.yaml new file mode 100644 index 0000000..57ce0fb --- /dev/null +++ b/k8s_template/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: log4shell + labels: + app: log4shell +spec: + type: LoadBalancer + selector: + app: log4shell + ports: + - port: 8080 + name: http + selector: + app: log4shell From 33699f9d45d38a19c75546bb70d40d765479030b Mon Sep 17 00:00:00 2001 From: "s.kanibor" Date: Sat, 15 Jan 2022 14:18:21 +0300 Subject: [PATCH 2/2] add vuln RBAC --- k8s_template/deployment.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/k8s_template/deployment.yaml b/k8s_template/deployment.yaml index 6354a0c..90ac23c 100644 --- a/k8s_template/deployment.yaml +++ b/k8s_template/deployment.yaml @@ -1,3 +1,32 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: log4shell +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: allow_all +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow_all_bind +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: allow_all +subjects: + - kind: ServiceAccount + name: log4shell +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -12,6 +41,7 @@ spec: labels: app: log4shell spec: + serviceAccountName: log4shell containers: - name: log4shell image: ghcr.io/christophetd/log4shell-vulnerable-app