Check Point AppSec - K8S-demo

This terraform project is for demoing Check Point AppSec solution on EKS (AWS) using bkimminich/juice-shop image.

AWS cli, kubectl and helm are needed.

Prior to apply the tf you will need to define the following IAM roles:

eksClusterRole: AWS service (EKS Cluster) with attached AmazonEKSClusterPolicy policy
eksWorkerRole: AWS Service (EC2) with attached AmazonEKSWorkerNodePolicy, AmazonEC2ContainerRegistryReadOnly, AmazonEKS_CNI_Policy, AmazonEBSCSIDriverPolicy policies

In terraform.tfvars add the AWS region you want the cluster is deployed to, AK and SK for authentication.

If TLS is enabled for the Ingress, a Secret containing the certificate and key for juice.yourdomain.com must also be provided in secret-juice.yaml:

apiVersion: v1
kind: Secret
	namespace: foo
data:
	tls.crt: <base64 encoded cert>
	tls.key: <base64 encoded key>
type: kubernetes.io/tls

In Check Point Infinity portal (https://portal.checkpoint.com) has to be defined the following Asset (using K8S deployment):

After init/plan/apply terraform, update the active K8S context:

aws eks update-kubeconfig --region <region_in_terraform.tfvars> --name eks-appsec

Create the deployment:

kubectl apply -f '/.../.../juiceshop.yml'

In case TLS is enabled, create a secret on the K8S cluster:

kubectl apply -f '/.../.../secret-juice.yaml'

Download helm chart using the following command:

wget https://github.com/CheckPointSW/Infinity-Next/raw/main/deployments/cp-k8s-appsec-nginx-ingress-4.0.1.tgz -O cp-k8s-appsec-nginx-ingress-4.0.1.tgz

(version can change during time)

Deploy the ingress controller by running:

helm install cp-k8s-appsec-nginx-ingress-4.0.1.tgz --name-template cp-appsec --set appsec.agentToken="cp-..."

(you can copy the commands from the profile of the agent protecting the asset)

This will deploy a LB in AWS. Need to create a CNAME record in your domain as follows:

juice.yourdomain.com -> "A record of the LB"

Configure the Ingress resource:

kubectl apply -f '/.../.../ingress-juice-resource.yaml'

Enforce the policy in infinity portal and you are ready for testing the solution.

Name		Name	Last commit message	Last commit date
Latest commit History 44 Commits
README.md		README.md
ingress-juice-resource.yaml		ingress-juice-resource.yaml
juiceshop.yml		juiceshop.yml
main.tf		main.tf
output.tf		output.tf
secret-juice.yaml		secret-juice.yaml
terraform.tfvars		terraform.tfvars
variables.tf		variables.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Check Point AppSec - K8S-demo

About

Releases

Packages

Languages

luizec/CheckPoint-AppSec_-_K8S-demo

Folders and files

Latest commit

History

Repository files navigation

Check Point AppSec - K8S-demo

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages