[WSKS] Add Calico Minikube support and fix outputs

Common/Kubernetes-Install-Minikube.md

@@ -13,6 +13,10 @@ Your system should have, at least:
 - Container or virtual machine manager, such as: Docker, QEMU, Hyperkit,
   Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMware Fusion/Workstation.
 
+In case of a Linux host a good idea would be to use Minikube through Docker.
+Instructions on how to install and enable a user to run Docker are available at
+[Containers-Install-Docker.md](Containers-Install-Docker.md).
+
 ## Download Minikube
 
 Download and make it executable in `/usr/local/bin`:
@@ -58,56 +62,36 @@ $ minikube start
 
 ```
 
-### Using docker driver
-
-Depending on the way you want to install Minikube you can pass different driver
-as paramenter to `minikube start`. By default it will try to use the Docker
-driver, so if you don't have Docker installed on your environment you might want
-to install it by [following the official instructions](https://docs.docker.com/engine/install/).
+### Enable a specific insecure registry in Minikube
 
-For a RHEL based operating systems these are the steps to be followed:
+If you need to enable a specific insecure registry in your Minikube
+installation, like it's needed for the **Building Castles** training series, it
+is possible to pass the `--insecure-registries` option:
 
 ```console
-$ sudo yum install -y yum-utils
-...
-
-$ sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
-Adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
-
-$ sudo yum install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+$ minikube start --insecure-registry=172.16.99.1:5000
 ...
-
-$ sudo systemctl start docker
-(no output)
-
-$ sudo systemctl enable docker
-Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
 ```
 
-Remember that your user must be part of the `docker` system group.
-This can be done as follows:
+This will consider `172.16.99.1:5000` container registry as an usable one inside
+the Minikube installation.
 
-```console
-$ sudo usermod --append --groups docker kirater
-(no output)
-
-$ newgrp docker
-(no output)
+### Enable a specific CNI in Minikube
 
-$ groups
-docker kirater
-```
-
-### Enable a specific insecure registry
+If you need to use a different CNI plugin in your Minikube installation it is
+possible to pass the `--cni` option, chosing the proper plugin.
 
-If you need to enable a specific insecure registry in your minikube
-installation, it is possible to pass the `--insecure-registries` options:
+For the **Shifting Kubernetes left** security workshop a good choice would be
+`calico`, so the proper command line to install Minikube would be:
 
 ```console
-$ minikube start --insecure-registry=172.16.99.1:5000
+$ minikube start  --cni calico
 ...
 ```
 
+This will improve the way Minikube manages the Network, by supporting features
+like _Network Policies_.
+
 ## Enable kubectl
 
 Download the `kubectl` command:

Workshops/Kubernetes-Security/Stage-2-Kyverno-Policy-as-Code.md

@@ -32,15 +32,16 @@ Update Complete. ⎈Happy Helming!⎈
 
 $ helm upgrade --install kyverno kyverno/kyverno \
     --namespace kyverno --create-namespace \
-    --set admissionController.hostNetwork=true
+    --set admissionController.hostNetwork=true \
+    --version 3.7.1
 NAME: kyverno
 LAST DEPLOYED: Tue Oct 14 13:43:56 2025
 NAMESPACE: kyverno
 STATUS: deployed
 REVISION: 1
 NOTES:
-Chart version: 3.5.2
-Kyverno version: v1.15.2
+Chart version: 3.7.1
+Kyverno version: v1.17.1
 ...
 ```
 

Workshops/Kubernetes-Security/Stage-3-Sign-Containers-with-Cosign.md

@@ -62,7 +62,19 @@ cosign.pub
 
 In this example we will create a local container build to be pushed on the
 GitHub registry, [ghcr.io](ghcr.io). This means that we will need to create a
-token from the web interface and then login using `docker`:
+token from the web interface.
+
+Under `Settings`, go to `Developer Settings` and then under `Personal access
+tokens`, select `Tokens (classic)`, then click on `Generate new token (classic)`
+and enter a note like `For Kiratech Kubernetes Security Workshop packages` and
+be sure to select all the checkboxes related to:
+
+- `repo`
+- `write:packages`
+- `delete:packages`
+
+After clicking on `Generate` you will get a token that you will be able to use
+with the `docker login` command:
 
 ```console
 $ docker login ghcr.io
@@ -214,7 +226,7 @@ command line.
 [This bug](https://github.com/sigstore/cosign/issues/4488#issuecomment-3432196825)
 on the Cosign's GitHub repository is covering the issue.
 
-Once the container images is signer, the effective signature can be verified by
+Once the container images is signed, the effective signature can be verified by
 using `cosign verify`, and note that the result is the same while using the
 `1.0` tag or the entire container image digest:
 
@@ -279,6 +291,13 @@ spec:
                       -----END PUBLIC KEY-----
 ```
 
+To create the `ClusterPolicy` use the `kubectl create -f` command:
+
+```console
+$ kubectl create -f verify-signed-images.yaml
+clusterpolicy.kyverno.io/require-signed-images created
+```
+
 This will fail (check `webhookConfiguration`) to launch Pods that will not have
 a signature based on the generated public key (check `verifyImages` section).
 

Workshops/Kubernetes-Security/scripts/functions.source

@@ -46,8 +46,8 @@ check_kyverno() {
         echo 'helm repo add kyverno https://kyverno.github.io/kyverno/'
         echo 'helm update'
         echo 'helm upgrade --install kyverno kyverno/kyverno \'
-        echo '    --create-namespace --namespace kyverno'
-        echo '    --version 3.1.4'
+        echo '    --create-namespace --namespace kyverno \'
+        echo '    --version 3.7.1'
         exit 1
     fi
     print_success "Kyverno is present."