From bee100daae1e3cd8b0770ec913185a1b908d287f Mon Sep 17 00:00:00 2001 From: Raoul Scarazzini Date: Mon, 23 Feb 2026 18:38:32 +0100 Subject: [PATCH] [WSKS] Add Calico Minikube support and fix outputs This adds Minikube CNI network plugin installation, fixes some of the outputs and adds some Cosign details. Fixes: #67 Signed-off-by: Raoul Scarazzini --- Common/Kubernetes-Install-Minikube.md | 56 +++++++------------ .../Stage-2-Kyverno-Policy-as-Code.md | 7 ++- .../Stage-3-Sign-Containers-with-Cosign.md | 23 +++++++- .../scripts/functions.source | 4 +- 4 files changed, 47 insertions(+), 43 deletions(-) diff --git a/Common/Kubernetes-Install-Minikube.md b/Common/Kubernetes-Install-Minikube.md index 4a9e0fa..4fd416d 100644 --- a/Common/Kubernetes-Install-Minikube.md +++ b/Common/Kubernetes-Install-Minikube.md @@ -13,6 +13,10 @@ Your system should have, at least: - Container or virtual machine manager, such as: Docker, QEMU, Hyperkit, Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMware Fusion/Workstation. +In case of a Linux host a good idea would be to use Minikube through Docker. +Instructions on how to install and enable a user to run Docker are available at +[Containers-Install-Docker.md](Containers-Install-Docker.md). + ## Download Minikube Download and make it executable in `/usr/local/bin`: @@ -58,56 +62,36 @@ $ minikube start ``` -### Using docker driver - -Depending on the way you want to install Minikube you can pass different driver -as paramenter to `minikube start`. By default it will try to use the Docker -driver, so if you don't have Docker installed on your environment you might want -to install it by [following the official instructions](https://docs.docker.com/engine/install/). +### Enable a specific insecure registry in Minikube -For a RHEL based operating systems these are the steps to be followed: +If you need to enable a specific insecure registry in your Minikube +installation, like it's needed for the **Building Castles** training series, it +is possible to pass the `--insecure-registries` option: ```console -$ sudo yum install -y yum-utils -... - -$ sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo -Adding repo from: https://download.docker.com/linux/centos/docker-ce.repo - -$ sudo yum install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin +$ minikube start --insecure-registry=172.16.99.1:5000 ... - -$ sudo systemctl start docker -(no output) - -$ sudo systemctl enable docker -Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service. ``` -Remember that your user must be part of the `docker` system group. -This can be done as follows: +This will consider `172.16.99.1:5000` container registry as an usable one inside +the Minikube installation. -```console -$ sudo usermod --append --groups docker kirater -(no output) - -$ newgrp docker -(no output) +### Enable a specific CNI in Minikube -$ groups -docker kirater -``` - -### Enable a specific insecure registry +If you need to use a different CNI plugin in your Minikube installation it is +possible to pass the `--cni` option, chosing the proper plugin. -If you need to enable a specific insecure registry in your minikube -installation, it is possible to pass the `--insecure-registries` options: +For the **Shifting Kubernetes left** security workshop a good choice would be +`calico`, so the proper command line to install Minikube would be: ```console -$ minikube start --insecure-registry=172.16.99.1:5000 +$ minikube start --cni calico ... ``` +This will improve the way Minikube manages the Network, by supporting features +like _Network Policies_. + ## Enable kubectl Download the `kubectl` command: diff --git a/Workshops/Kubernetes-Security/Stage-2-Kyverno-Policy-as-Code.md b/Workshops/Kubernetes-Security/Stage-2-Kyverno-Policy-as-Code.md index d6826a4..213f546 100644 --- a/Workshops/Kubernetes-Security/Stage-2-Kyverno-Policy-as-Code.md +++ b/Workshops/Kubernetes-Security/Stage-2-Kyverno-Policy-as-Code.md @@ -32,15 +32,16 @@ Update Complete. ⎈Happy Helming!⎈ $ helm upgrade --install kyverno kyverno/kyverno \ --namespace kyverno --create-namespace \ - --set admissionController.hostNetwork=true + --set admissionController.hostNetwork=true \ + --version 3.7.1 NAME: kyverno LAST DEPLOYED: Tue Oct 14 13:43:56 2025 NAMESPACE: kyverno STATUS: deployed REVISION: 1 NOTES: -Chart version: 3.5.2 -Kyverno version: v1.15.2 +Chart version: 3.7.1 +Kyverno version: v1.17.1 ... ``` diff --git a/Workshops/Kubernetes-Security/Stage-3-Sign-Containers-with-Cosign.md b/Workshops/Kubernetes-Security/Stage-3-Sign-Containers-with-Cosign.md index 71355e5..1144f5b 100644 --- a/Workshops/Kubernetes-Security/Stage-3-Sign-Containers-with-Cosign.md +++ b/Workshops/Kubernetes-Security/Stage-3-Sign-Containers-with-Cosign.md @@ -62,7 +62,19 @@ cosign.pub In this example we will create a local container build to be pushed on the GitHub registry, [ghcr.io](ghcr.io). This means that we will need to create a -token from the web interface and then login using `docker`: +token from the web interface. + +Under `Settings`, go to `Developer Settings` and then under `Personal access +tokens`, select `Tokens (classic)`, then click on `Generate new token (classic)` +and enter a note like `For Kiratech Kubernetes Security Workshop packages` and +be sure to select all the checkboxes related to: + +- `repo` +- `write:packages` +- `delete:packages` + +After clicking on `Generate` you will get a token that you will be able to use +with the `docker login` command: ```console $ docker login ghcr.io @@ -214,7 +226,7 @@ command line. [This bug](https://github.com/sigstore/cosign/issues/4488#issuecomment-3432196825) on the Cosign's GitHub repository is covering the issue. -Once the container images is signer, the effective signature can be verified by +Once the container images is signed, the effective signature can be verified by using `cosign verify`, and note that the result is the same while using the `1.0` tag or the entire container image digest: @@ -279,6 +291,13 @@ spec: -----END PUBLIC KEY----- ``` +To create the `ClusterPolicy` use the `kubectl create -f` command: + +```console +$ kubectl create -f verify-signed-images.yaml +clusterpolicy.kyverno.io/require-signed-images created +``` + This will fail (check `webhookConfiguration`) to launch Pods that will not have a signature based on the generated public key (check `verifyImages` section). diff --git a/Workshops/Kubernetes-Security/scripts/functions.source b/Workshops/Kubernetes-Security/scripts/functions.source index 9af6cd5..903d3ea 100755 --- a/Workshops/Kubernetes-Security/scripts/functions.source +++ b/Workshops/Kubernetes-Security/scripts/functions.source @@ -46,8 +46,8 @@ check_kyverno() { echo 'helm repo add kyverno https://kyverno.github.io/kyverno/' echo 'helm update' echo 'helm upgrade --install kyverno kyverno/kyverno \' - echo ' --create-namespace --namespace kyverno' - echo ' --version 3.1.4' + echo ' --create-namespace --namespace kyverno \' + echo ' --version 3.7.1' exit 1 fi print_success "Kyverno is present."