feat Updating name scripts to be more understandable and overall read…

…ability of the code blocks

.github/workflows/build_image.yaml

@@ -13,13 +13,19 @@ on:
           - security-playground
           - hello-app
           - postgres-sakila
+      docker_file:
+        description: 'Dockerfile to use for the build'
+        required: true
+        type: string
+        default: 'Dockerfile'
       docker_extra_args:
         description: 'Additional arguments for Docker build separated by comma'
         required: false
         type: string
       push_image_to_ECR:
         description: 'Wheter to push the image to ECR (default dry run)'
         required: true
+        default: false
         type: boolean
       custom_tag:
         description: 'Set a custom tag, leave blank to use the tag from the repo'
@@ -79,7 +85,7 @@ jobs:
       with:
         # list of Docker images to use as base name for tags
         images: |
-          public.ecr.aws/j4k4p5y8/${{ inputs.scenario }}
+          905418274209.dkr.ecr.us-east-1.amazonaws.com/public.ecr.aws/j4k4p5y8/${{ inputs.scenario }}
         # Docker tags based on the following events/attributes
         tags: |
           type=raw,value=${{ steps.tagging.outputs.tag}},enable=true
@@ -112,6 +118,7 @@ jobs:
           ${{ env.DOCKER_BUILD_ARGS_ENV_VAR }}
         platforms: linux/amd64
         context: 'docker-build-${{inputs.scenario}}'
-        push: ${{ inputs.push_image_to_ECR == 'true' }}
+        file: 'docker-build-${{inputs.scenario}}/${{inputs.docker_file}}'
+        push: ${{ inputs.push_image_to_ECR }}
         tags: ${{ steps.meta_id_ecr.outputs.tags }}
         labels: ${{ steps.meta_id_ecr.outputs.labels }}

README.md

@@ -1,25 +1,40 @@
 # Example / Demo / Testing Scenarios for Sysdig Secure
 
-These are the Kubernetes manifests and scripts from the Sysdig EKS Workshop - https://github.com/jasonumiker-sysdig/sysdig-aws-workshop-instructions
+These are the Kubernetes manifests and scripts from the Sysdig EKS Workshop - <https://github.com/sysdiglabs/sysdig-aws-workshop-instructions>
 
 I provide them here so that you can run through that workshop on your own cluster/environment (independent of Sysdig).
 
+## Workloads used
+
+The apps pre-configured with helm are based originally in the normal k8s deployment manifests you can find in the `./k8s-manifests/` folder and the image/apps in the folders that start with `docker-*`. The actual installation of them are through helm charts, I just ported them to the templating system, you can find them [here](https://github.com/sysdiglabs/demoenv-scenarios/tree/master/charts)
+
+The list of apps used in the workshop are:
+
+* security-playground (even though we have 4 variations of this app, currently, there is only one helm chart, in the values depend on the type of installation we select the appropriate image with the deployment config)
+  * restricted
+  * no-drift
+  * no-malware
+* hello-server
+* postgres-sakila
+
 ## Prerequisites (Optional if you want to do the AWS Cloud Detection and Response steps - otherwise any Kubernetes is fine)
 
 You need to have:
+
 * An AWS EKS Cluster
-  * With an IAM OIDC provider enabled for IRSA - https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
+  * With an IAM OIDC provider enabled for IRSA - <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>
 * A machine that is able to run kubectl commands against it (i.e. you've already run the `aws eks update-kubeconfig` with the right AWS IAM available to do so etc.)
 * A Sysdig Secure subscription with both the EKS Cluster and the AWS Account connected.
 
 ### Connecting the EKS Cluster to Sysdig
 
-This is the Sysdig Helm Chart values file we use in the workshop. I haven't moved to the cluster scanner yet because the workshop is a single-node cluster so it doesn't really matter/help there.
-```
+This is the Sysdig Helm Chart values file we use in the workshop. Now we are using cluster shield, since its stable and new features like layered analysis and recomendations are impactful. New current agent version is `13.4.1`
+
+```yaml
 global:
   sysdig: 
     accessKey: XXX
-    region: au1
+    region: REGION
     secureAPIToken: YYY
   kspm:
     deploy: true
@@ -32,85 +47,131 @@ nodeAnalyzer:
   nodeAnalyzer:
     benchmarkRunner:
       deploy: false
+    hostScanner:
+      deploy: true
     runtimeScanner:
+      deploy: false # Using Cluster Shield
+      eveConnector:
+        deploy: true
       settings:
         eveEnabled: true
-    hostScanner:
-      scanOnStart: true
-admissionController:
+
+rapidResponse:
   enabled: true
+  rapidResponse:
+  ...
+
+admissionController:
+  enabled: false # Using Cluster Shield
+  features:
+    k8sAuditDetections: false
+    kspmAdmissionController: false
   scanner:
     enabled: false
-  webhook:
-    autoscaling:
-      minReplicas: 1
+
+kspmCollector:
+  enabled: false # Using Cluster Shield
+clusterScanner:
+  enabled: false # Using Cluster Shield
+
+clusterShield:
+  enabled: true
+  cluster_shield:
+    features:
+      admission_control:
+        enabled: true
+        container_vulnerability_management:
+          enabled: true
+        deny_on_error: false
+        dry_run: false
+      audit:
+        enabled: true
+      container_vulnerability_management:
+        enabled: true
+        in_use:
+          enabled: true
+          integration_enabled: true
+      posture:
+        enabled: true
+
 ```
 
 ### (Optional if you want to do the AWS Cloud Detection and Response steps) Connecting the AWS Account to Sysdig
+
 We have connected the workshop AWS account with agentless CSPM and CDR - and assume that you'll have these enabled in your account as well:
 ![alt text](agentless-aws.png)
 
-
 ## Configuring Sysdig Secure's Runtime Policies
 
 The Workshop assumes that you have your Runtime Policies configured in the following way:
 
 ### AWS CloudTrail
+
 You will create two custom policies (click the Add Policy button in the upper right and choose AWS CloudTrail):
+
 * SSM Session Manager Connect
-    * Scope it to Entire Infrastructure
-    * Include the rule SSM Start Session (Import it from Library)
+  * Scope it to Entire Infrastructure
+  * Include the rule SSM Start Session (Import it from Library)
 * Make Bucket Public
-    * Scope it to Entire Infrastructure
-    * Include the rules (Import them from Library):
-        * Delete Bucket Public Access Block
-        * Put Bucket ACL for AllUsers
-        * Put Bucket Policy
+  * Scope it to Entire Infrastructure
+  * Include the rules (Import them from Library):
+    * Delete Bucket Public Access Block
+    * Put Bucket ACL for AllUsers
+    * Put Bucket Policy
 
 ### Workload
+
 Enable the following Managed Policies:
+
 * Sysdig Runtime Threat Detection
 * Sysdig Runtime Threat Intelligence
 * Sysdig Runtime Notable Events
 
 ### Kubernetes Audit
+
 Enable the Managed Policy Sysdig K8s Notable Events
 
-### Container Drift 
+### Container Drift
+
 You will create four custom policies (click the Add Policy button in the upper right and choose Container Drift):
+
 * Detect Container Drift (security-playground)
-    * Scope it to kubernetes.namespace.name = security-playground
-    * Ensure Actions -> Prevent is off
+  * Scope it to kubernetes.namespace.name = security-playground
+  * Ensure Actions -> Prevent is off
 * Detect Container Drift (security-playground-restricted)
-    * Scope it to kubernetes.namespace.name = security-playground-restricted
-    * Ensure Actions -> Prevent is off
+  * Scope it to kubernetes.namespace.name = security-playground-restricted
+  * Ensure Actions -> Prevent is off
 * Detect Container Drift (security-playground-restricted-nomalware)
-    * Scope it to kubernetes.namespace.name = security-playground-nomalware
-    * Ensure Actions -> Prevent is off
+  * Scope it to kubernetes.namespace.name = security-playground-nomalware
+  * Ensure Actions -> Prevent is off
 * Prevent Container Drift (security-playground-restricted-nodrift)
-    * Scope it to kubernetes.namespace.name = security-playground-restricted-nodrift
-    * Ensure Actions -> Prevent is **on**
+  * Scope it to kubernetes.namespace.name = security-playground-restricted-nodrift
+  * Ensure Actions -> Prevent is **on**
 
 ### Malware
+
 You will create two custom policies (click the Add Policy button in the upper right and choose Malware):
+
 * Detect Malware
-    * Scope it to Entire Infrastructure
-    * Ensure Actions -> Prevent is off
+  * Scope it to Entire Infrastructure
+  * Ensure Actions -> Prevent is off
 * Prevent Malware (security-playground-restricted-nomalware)
-    * Scope it to kubernetes.namespace.name = security-playground-restricted-nomalware
-    * Ensure Actions -> Prevent is **on**
+  * Scope it to kubernetes.namespace.name = security-playground-restricted-nomalware
+  * Ensure Actions -> Prevent is **on**
 
 ## Deploy the Kubernetes Manifests
 
 The K8s manifests are already installed through helm.
 You can review them by runing `helm ls -A`
 
 ## (Optional if you want to do the AWS Cloud Detection and Response steps) Set up the IRSA Role
+
 Edit the [set-up-irsa](./set-up-irsa.sh) script to include the cluster name (`$EKS_CLUSTER_NAME`) and region and then run that script to create a matching service-account named `irsa` that we'll assign to the security-playground giving it over-provisioned access to S3 in the workshop. The IAM role `irsa-$EKS_CLUSTER_NAME` should be already created in your account. You can run `aws iam get-role --role-name "irsa-$EKS_CLUSTER_NAME"` to retrieve it.
 
-NOTE: You'll need to have enabled OIDC on the cluster you are testing against by following the instructions at https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
+NOTE: You'll need to have enabled OIDC on the cluster you are testing against by following the instructions at <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html> _It is already pre-configured in the workshops_
 
 ## Do the workshop!
+
 The scripts that you would expect to be on the Jumpbox are all in the scripts folder.
 
 Assuming you configured everything as above, it should now work the same as if it was in the lab environment provided by Sysdig during the workshop.

scripts/example-curls-restricted-nodrift.sh → scripts/01-03-example-curls-restricted-nodrift.sh

@@ -123,4 +123,4 @@ curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xz
 echo "---"
 echo "Running curl -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'"
 echo "---"
-curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'
+curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'

scripts/example-curls-restricted-nomalware.sh → scripts/01-04-example-curls-restricted-nomalware.sh

@@ -123,4 +123,4 @@ curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xz
 echo "---"
 echo "Running curl -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'"
 echo "---"
-curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'
+curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d 'command=xmrig-6.20.0/xmrig'

scripts/security-playground-test.yaml → scripts/01-cfg-security-playground-test.yaml

@@ -35,4 +35,4 @@ spec:
               path: /health
               port: http
           securityContext:
-            privileged: true
+            privileged: true

scripts/example-curls-bucket-public.sh → scripts/02-01-example-curls-bucket-public.sh

@@ -7,7 +7,7 @@ NODE_PORT=30000
 echo "1. Installing the AWS CLI"
 echo "--------------------------------------------------------------------------------"
 curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl --connect-timeout 5 https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip"
-curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=unzip -q awscliv2.zip"
+curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=unzip awscliv2.zip"
 curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=./aws/install"
 curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=/usr/local/bin/aws --version"
 echo "2. Looking at the sensitive data/files in the bucket with security-playground's access to the AWS API via IRSA"
@@ -17,7 +17,7 @@ curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=cat cus
 echo "3. Removing the Public Access Block on our bucket $S3_BUCKET_NAME with the overprovisioned IRSA access"
 echo "--------------------------------------------------------------------------------"
 curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=aws s3api delete-public-access-block --bucket $S3_BUCKET_NAME"
-echo "4. Finally setting a bucket policy on the bucket to make it, and all its contents, public!"
+echo "4. Finally setting a bucket policy on the bucket to make it, and all its contents, public"
 echo "--------------------------------------------------------------------------------"
 POLICY="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::$S3_BUCKET_NAME/*\"}]}"
 POLICY_COMMAND="command=aws s3api put-bucket-policy --bucket $S3_BUCKET_NAME --policy '"$POLICY"'"

scripts/security-playground-irsa.yaml → scripts/02-cfg-security-playground-irsa.yaml

@@ -43,4 +43,4 @@ spec:
               cpu: "250m"
             limits:
               memory: "512Mi"
-              cpu: "500m"
+              cpu: "500m"

scripts/example-curls-networkpolicy.sh → scripts/06-01-example-curls-networkpolicy.sh

@@ -7,4 +7,4 @@ HELLO_NAMESPACE=hello
 
 echo "Trying to reach hello-server from security-playground"
 echo "---"
-curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl --connect-timeout 5 http://hello-server.$HELLO_NAMESPACE.svc:8080"
+curl --connect-timeout 5 -s -X POST $NODE_IP:$NODE_PORT/exec -d "command=curl --connect-timeout 5 http://hello-server.$HELLO_NAMESPACE.svc:8080"

scripts/refresh-security-playgrounds.sh

@@ -6,4 +6,4 @@ kubectl delete --all pods --namespace=security-playground-restricted-nodrift
 kubectl delete --all pods --namespace=security-playground-restricted-nomalware
 kubectl delete -f ./generated-network-policy.yml
 kubectl delete -f ./generated-network-policy2.yml
-kubectl apply -f example-scenarios/k8s-manifests/04-security-playground-deployment.yaml
+kubectl apply -f example-scenarios/k8s-manifests/04-security-playground-deployment.yaml

scripts/security-playground-aws-env-vars.yaml.orig

@@ -49,4 +49,4 @@ spec:
           - name: AWS_SECRET_ACCESS_KEY
             value: ""
           - name: AWS_DEFAULT_REGION
-            value: "ap-southeast-2"
+            value: "ap-southeast-2"

set-up-irsa.sh → scripts/set-up-irsa.sh

@@ -5,7 +5,7 @@ NAMESPACE="security-playground"
 AWS_ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
 IAM_ROLE_NAME="irsa-$EKS_CLUSTER_NAME"
 echo "Creating IAM role $IAM_ROLE_NAME"
-cat > ./scripts/serviceaccount.yaml << EOF
+cat > serviceaccount.yaml << EOF
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -16,6 +16,7 @@ metadata:
   name: $SERVICE_ACCOUNT_NAME
   namespace: $NAMESPACE
 EOF
-kubectl apply -f ./scripts/serviceaccount.yaml
+kubectl apply -f serviceaccount.yaml
 kubectl delete -n $NAMESPACE deploy security-playground
-kubectl apply -f ./scripts/security-playground-irsa.yaml
+kubectl apply -f 02-cfg-security-playground-irsa.yaml
+

scripts/test-all-workshop-commands.sh

@@ -1,22 +1,22 @@
 #!/bin/bash
-./example-curls.sh
-./example-curls-restricted.sh
-./example-curls-restricted-nodrift.sh
-./example-curls-restricted-nomalware.sh
+./01-01-example-curls.sh
+./01-02-example-curls-restricted.sh
+./01-03-example-curls-restricted-nodrift.sh
+./01-04-example-curls-restricted-nomalware.sh
 #kubectl apply -f ./security-playground-irsa.yaml
 #kubectl apply -f ./security-playground-aws-env-vars.yaml
 #sleep 10
 #export S3_BUCKET_NAME=bucket
-#./example-curls-bucket-public.sh
+#./02-01-example-curls-bucket-public.sh
 #export SECURE_API_TOKEN=token
 #./sysdig-cli-scanner -a app.au1.sysdig.com logstash:7.16.1
 #./sysdig-cli-scanner -a app.au1.sysdig.com --iac example-scenarios/k8s-manifests/04-security-playground-deployment.yaml
-./example-curls-networkpolicy.sh
+./06-01-example-curls-networkpolicy.sh
 kubectl apply -f ./generated-network-policy.yml
 sleep 10
-./example-curls-networkpolicy.sh
+./06-01-example-curls-networkpolicy.sh
 kubectl logs --since=5m deployment/hello-client-blocked -n hello
 kubectl logs --since=5m deployment/hello-client -n hello
 kubectl apply -f ./generated-network-policy2.yml
 sleep 10
-./example-curls.sh
+./01-01-example-curls.sh