Demonstrating secure and non secure kubernetes IaC manifests using Kustomize.io (kubectl -k) overlays.
The manifests in this respository, demonstrate how to take a basic NGINX kubernetes deployment with many security issues, and use Zscaler Posture Control (ZPC) to produce a fully compliant manifest to acheive the same NGINX deployment.
⚠️ DO NOT deploy this template examples in a production environment or alongside any sensitive resources.
⚠️ All passwords in this repo are used as an example and should not be used in production
Using kustomize overlays (environments) we see both forms of these configurations here:
-
kustomize/base- Our base manifests, starting manifests, which are insecure. -
kustomize/overlays/test- A few security updates, but still a lot of non compliance. -
kustomize/overlays/dev- An example of an empty overlay, produces the same results asbasewhen merged withkustomize build -
kustomize/overlays/prod- Fully compliant additions tobase, this overlay renders a clean bill of health when scanned.
Contribution is welcomed!
We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
Zscaler-BD-SA Team builds and maintains this repository to encourage the adoption of policy-as-code.
If you need direct support you can contact us at zscaler-partner-labs@z-bd.com.
- zpc-aws-cfn-iac-scanning - Vulnerable by design Cloudformation template
- zpc-terraform-iac-scanning - Vulnerable by design Terraform stack
- zpc-kustomize-iac-scanning - Vulnerable by design kustomize deployment