ctfcli-deploy-kubernetes

A ctfcli plugin for deploying CTF challenge containers to Kubernetes.

Installation

1. Install the plugin: ctf plugins install https://github.com/pl4nty/ctfcli-deploy-kubernetes.git
2. Install Kompose
3. Install kubectl and configure cluster access, eg Google Kubernetes Engine docs
4. Login to a container registry, eg docker login ghcr.io

Usage

1. Add a Compose file like docker-compose.yml to your challenge(s)
2. ctf challenge deploy --host "kubernetes://chals.example.com?registry=ghcr.io/username" --skip-login
3. If your Compose files already have image fields, the registry parameter isn't required
4. If your .ctf/config file contains registry credentials, the --skip-login parameter isn't required

Pwn challenges

To expose pwn challenges to the internet:

1. Ensure challenges have unique ports
2. Choose a domain for challenges to be exposed on subdomains, eg chals.example.com
3. ctf challenge deploy --host "kubernetes://chals.example.com?registry=ghcr.io/username" --skip-login
4. Configure DNS for chals.example.com to point to your cloud provider's load balancer external IP address
5. Visit your challenge eg at chals.example.com:1234

Web challenges

To expose web challenges to the internet:

1. Install an ingress controller
2. Set it as the default IngressClass: kubectl annotate ingressclass your-ingress-class ingressclass.kubernetes.io/is-default-class=true. Alternatively, set kompose.service.expose.ingress-class-name in an override
3. Choose a domain for challenges to be exposed on subdomains, eg chals.example.com
4. ctf challenge deploy --host "kubernetes://chals.example.com?registry=ghcr.io/username" --skip-login
5. Configure DNS for *.chals.example.com to point to your ingress controller external IP address
6. Visit your challenge at http://challenge-name.chals.example.com. This will be the first service in the Compose file, other services will be available with the pattern http://challenge-name-service-name.chals.example.com
7. (Optional) Configure TLS termination at the ingress controller. If using the Ingress TLS field, create a Kubernetes secret in the challenge namespace and set kompose.service.expose.tls-secret in an override. Secret creation can be automated with reflector for wildcard certificates (recommended) or cert-manager.

Private container registries

To use a private container registry with password authentication, create a Kubernetes secret in the challenge namespace. Secret creation can be automated with reflector.

kubectl create secret docker-registry ghcr --namespace=$namespace \
--docker-server=ghcr.io \
--docker-username=username \
--docker-password=password

Then set kompose.image-pull-secret in an override.

Overrides

Use the override parameter with a Compose file to merge it into challenges. This can enable certain features. For a full list of supported kompose labels, see the labels section of the Kompose docs.

services:
  app:
    labels:
      kompose.image-pull-secret: 'mypullsecretname'
      kompose.service.expose.ingress-class-name: 'myingressclass'
      kompose.service.expose.tls-secret: 'mytlssecretname'