This repo consists of vulnerable configuration files, split per configuration type. The files contain various vulnerabilities which Snyk Infrastructure as Code can identify, as well as scripts for setting up demo environments to educate about the challenges and potential security issues in the Infrastructure as Code world.
The ./k8s directory contains demo-able applications which emphasise why different settings in your configurations files can expose you to security attacks:
- Privileged pod - the problem with having a privileged pod on your cluster
To start the demos, you need to follow these steps:
- Install and run minikube.
- Run minikube -
minikube start- If you already have a running minikube, and you want to start with clean environment -
minikube delete
- If you already have a running minikube, and you want to start with clean environment -
- Run
minikube dashboardand make sure you have a working (hopefully empty) Kubernetes cluster - Run
./build.sh(from the main dir of every issue example)- The
build.shapplies all of the required config for each and every example
- The
- Look for the new components on your cluster (Pod / Deployment / Service / Ingress)
- Continue with the instructions of each one of the examples for more specific details
- When you're done - you can run
./cleanup.sh(from the main dir of every issue example) in order to revert all of the changes done by thebuild.shscript
This directory also contains various other vulnerable Kubernetes templates under ./k8s/templates, which can also be scanned by Snyk.
To scan any of the files and directories in this repo with Snyk, install snyk snyk iac test either from the main directory or by pointing at each file one by one.
For example:
- to test a single file:
$ snyk iac test cloudformation/templates/aurora.yaml
- to test a folder:
$ snyk iac test k8s/
- to test a nested folder:
$ snyk iac test terraform/aws/