At Tremolo Security, everything we do is open source. Our CTO, Marc Boorshtein, recently taught a class at BSidesDC on Kubernetes identity management. He walked a class through integrating a cluster into Active Directory, adding authorization processes, enabling the audit log and building pod security policies. We created a self contained lab for this class and decided to release it on GitHub! This lab is an:
- Ansible playbook to stand up the environment on a single node cluster
- Deploys the Kubernetes Dashboard
- Deploys OpenUnison
- Set of labs for enabling OpenID Connect, the audit logs, debugging RBAC policies and pod security policies
The playbooks have been tested on a local Ubuntu 18.04 VM, AWS’ Ubuntu image and Digital Ocean’s Ubuntu image. All you need to do is add an Active Directory domain controller. We hope you enjoy using this lab in your journey to locking down your clusters, and its open source so please open issues for PRs, questions and feedback!