-
Notifications
You must be signed in to change notification settings - Fork 0
/
Installation Instructions
227 lines (169 loc) · 9.4 KB
/
Installation Instructions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
Part I: Prepare the OS, Docker, Kubernetes
Step 1: Install Linux. I am using Kali Linux VM 2024.2 version. This tutorial assumes you know how to spin up the VM.
Step 2: Install Docker using the following command, this is a very old version of Docker, but it will work for this lab, to install a newer version with Docker Compose baked in, read here
https://www.kali.org/docs/containers/installing-docker-on-kali/
$ apt install docker.io
$ docker version
Client:
Version: 20.10.25+dfsg1
Step 3: Install Kind (easy to install Kubernetes distro)
Copy and paste the following six lines (14 to 19) into your terminal
# For AMD64 / x86_64
[ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64
# For ARM64
[ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-arm64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
In my case, sometimes I run the command in X86_64, I get the following error
curl: (2) no URL specified
curl: try 'curl --help' or 'curl --manual' for more information
chmod: cannot access './kind': No such file or directory
mv: cannot stat './kind': No such file or directory
so I will replace line 15 with the following, and then run line 18 and 19 commands
$ wget -O ./kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64
$ chmod +x ./kind
$ sudo mv ./kind /usr/local/bin/kind
Step 4: Create a Kubernetes Cluster
$ kind create cluster --name kindcluster
You should see the following:
Creating cluster "kindcluster" ...
✓ Ensuring node image (kindest/node:v1.30.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-kindcluster"
You can now use your cluster with:
kubectl cluster-info --context kind-kindcluster
Not sure what to do next? 😅 Check out https://kind.sigs.k8s.io/docs/user/quick-start/
Step 5: Set the Kubectl context
$ kubectl cluster-info --context kind-kindcluster
If Kali Linux prompts you to install kubectl, click Y for Yes
If it doesn't prompt you, follow the following three steps (lines 57 to 60) to install kubectl
"Kubectl is a command-line interface (CLI) tool for interacting with Kubernetes clusters. It enables efficient control and management of Kubernetes resources."
$ curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
$ chmod +x kubectl
$ sudo mv kubectl /usr/local/bin
Step 6: Check the kindcluster control plane is Ready or not
$ kubectl get nodes
You should see:
NAME STATUS ROLES AGE VERSION
kindcluster-control-plane Ready control-plane 5m46s v1.30.0
Step 7: Check if no pods are running at this time
$ kubectl get pods
You should see "No resources found in default namespace."
Step 8: Ensure K8S environment is ready
$ kubectl get pods -n kube-system
You should see something like this with all the Status showing Running.
NAME READY STATUS RESTARTS AGE
coredns-7db6d8ff4d-24wdv 1/1 Running 0 6m14s
coredns-7db6d8ff4d-bfzxq 1/1 Running 0 6m14s
etcd-kindcluster-control-plane 1/1 Running 0 6m28s
kindnet-qxngf 1/1 Running 0 6m14s
kube-apiserver-kindcluster-control-plane 1/1 Running 0 6m28s
kube-controller-manager-kindcluster-control-plane 1/1 Running 0 6m28s
kube-proxy-rqjzn 1/1 Running 0 6m14s
kube-scheduler-kindcluster-control-plane 1/1 Running 0 6m28s
Part II: Install the OWASP Juice Shop Application
Step 9: Create a manifest yaml file for the Juice Shop deployment
#nano juice-shop-deployment.yaml
copy and paste lines 93 to 110 into nano text editor and save the file or use the one provided in my repository
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: juice-shop
spec:
template:
metadata:
labels:
app: juice-shop
spec:
containers:
- name: juice-shop
image: bkimminich/juice-shop
selector:
matchLabels:
app: juice-shop
...
Step 10: Launch the juice shop
#kubectl create -f juice-shop-deployment.yaml
You should see "deployment.apps/juice-shop created"
Step 11: Make sure the Pod is running
#kubectl get pod --watch
You should see something like:
juice-shop-699c69578f-fzdfq 1/1 Running 0 91s
Step 12: Check the deployment
#kubectl get deployment
You should see the following:
NAME READY UP-TO-DATE AVAILABLE AGE
juice-shop 1/1 1 1 3m8s
Step 13: Create the service yaml file for OWASP Juice Shop Application
# nano juice-shop-service.yaml
copy and paste lines 136 to 149 into nano and save the file, or use the one provided in my repository
---
kind: Service
apiVersion: v1
metadata:
name: juice-shop
spec:
type: NodePort
selector:
app: juice-shop
ports:
- name: http
port: 8000
targetPort: 3000
...
Explanation:
The above yaml file will create a virtual ClusterIP that listens on port 31167 in my example.
- External traffic comes in on the Node Port (e.g. 31167, it is dynamically assigned, in Step 14)
- The Node Port forwards traffic to the Service port (8000) which is defined in line 114, this port is not accessible outside the cluster.
- The Service port forwards traffic to the target port (3000), the target port refers to the port which the pod in the Worker Node will be listening for incoming requests.
- The containers in the pod listen on port 3000 for incoming requests
- The juice-shop web application will run in the container that is running in the pod.
Step 14: Launch the service yaml file you just created
# kubectl create -f juice-shop-service.yaml
You should see:
service/juice-shop created
Step 15: Check the Service Virtual IP address is properly created (i.e. ClusterIP)
# kubectl get svc juice-shop
You should see something like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
juice-shop NodePort 10.96.119.165 <none> 8000:31167/TCP 21s
<Important> Take note of Node Port 31167 (in my example), this is the port that allows the OWASP Juice Shop service to be available to the external world.
Step 16: Check the endpoint is created
# kubectl get ep juice-shop
You should see:
NAME ENDPOINTS AGE
juice-shop 10.244.0.5:3000 59s
Now run another command,
# kubectl get pod -o wide
You should notice that the Endpoint IP address (in my example, 10.244.0.5) matches the Pod's IP address (i.e. 10.244.0.5) as seen below.
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
juice-shop-699c69578f-fzdfq 1/1 Running 0 7m23s 10.244.0.5 kind-control-plane <none> <none>
Step 17: Now find out the Worker Node's IP address, in my example, it is 172.18.0.2
# kubectl get node -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
kind-control-plane Ready control-plane,master 11h v1.21.1 172.18.0.2 <none> Ubuntu 21.04 5.11.0-25-generic containerd://1.5.2
Step 18: Now combine the Worker Node IP address and the Node Port in Line 135 to access the OWASP Juice Shop Service (only accessible within this VM itself)
# curl 172.18.0.2:31167
You should see something similar:
--TRUNCATED--
<script src="runtime-es2018.js" type="module"></script><script src="runtime-es5.js" nomodule defer></script><script src="polyfills-es5.js" nomodule defer></script><script src="polyfills-es2018.js" type="module"></script><script src="vendor-es2018.js" type="module"></script><script src="vendor-es5.js" nomodule defer></script><script src="main-es2018.js" type="module"></script><script src="main-es5.js" nomodule defer></script></body>
</html>
Step 19: Now open the browser in Kali Linux and key in 172.18.0.2:31167, you should see the "Welcome to OWASP Juice Shop!"
Congrats for sticking with me so far. Now you must take note that this website is only accessible from within this Virtual Machine.
You have to do additional port forwarding to ensure that it is accessible to the outside world.
Go back to line 110 and take note of the Port 8000, we are not able to access from anywhere outside of this VM.
Also, we do not want to use the NodePort (32267) to access the OWASP Juice Shop, so we will have to port forward service port 8000 to port 8080 where any machine outside of this VM can access.
Step 20: Port Forward from Cluster IP and Service Port to VM's localhost and new port 8080
# kubectl port-forward svc/juice-shop 8080:8000
You should see the following, leave this terminal running.
Forwarding from 127.0.0.1:8080 -> 3000
Forwarding from [::1]:8080 -> 3000
Step 21: Open another browser tab in Kali Linux and browse to localhost:8080, you should be able to see the same website as in line 196.
Step 22: Delete the kubernetes cluster you created with the command
$ kind delete cluster --name kindcluster
<The End>