Skip to content

Commit

Permalink
update slides
Browse files Browse the repository at this point in the history
  • Loading branch information
@codebytes
codebytes committed May 8, 2024
1 parent b65f000 commit 646f4bc
Show file tree
Hide file tree
Showing 4 changed files with 157 additions and 0 deletions.
42 changes: 42 additions & 0 deletions auth-setup.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/bin/sh

#set vars
#codebytes
githubOrganizationName=$(echo $(git remote get-url origin) | cut -f4 -d"/")
#secure-terraform-on-azure
githubRepositoryName=$(basename -s .git `git config --get remote.origin.url`)

#create app registration
applicationRegistrationDetails=$(az ad app create --display-name "${githubRepositoryName}")
applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id')
applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId')

#created federated creds
az ad app federated-credential create \
--id $applicationRegistrationObjectId \
--parameters "{\"name\":\"${githubRepositoryName}-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
az ad app federated-credential create \
--id $applicationRegistrationObjectId \
--parameters "{\"name\":\"${githubRepositoryName}-env-dev\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dev\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
az ad app federated-credential create \
--id $applicationRegistrationObjectId \
--parameters "{\"name\":\"${githubRepositoryName}-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
az ad app federated-credential create \
--id $applicationRegistrationObjectId \
--parameters "{\"name\":\"${githubRepositoryName}-branch-main\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}"

az ad sp create --id $applicationRegistrationObjectId

AZURE_CLIENT_ID=$applicationRegistrationAppId
AZURE_TENANT_ID=$(az account show --query tenantId --output tsv)
AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)

az role assignment create --assignee $applicationRegistrationAppId --role Contributor --scope "/subscriptions/$AZURE_SUBSCRIPTION_ID"

echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID"
echo "AZURE_TENANT_ID: $AZURE_TENANT_ID"
echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"

gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID"
gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID"
gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"
37 changes: 37 additions & 0 deletions containerizing-dotnet.sln
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.5.002.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{E7035618-F471-4A35-8C03-EEDD1FEA3B2B}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hello-containers", "src\hello-containers\hello-containers.csproj", "{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SampleApi", "src\SampleApi\SampleApi.csproj", "{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Debug|Any CPU.Build.0 = Debug|Any CPU
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Release|Any CPU.ActiveCfg = Release|Any CPU
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Release|Any CPU.Build.0 = Release|Any CPU
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Debug|Any CPU.Build.0 = Debug|Any CPU
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Release|Any CPU.ActiveCfg = Release|Any CPU
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(NestedProjects) = preSolution
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3} = {E7035618-F471-4A35-8C03-EEDD1FEA3B2B}
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1} = {E7035618-F471-4A35-8C03-EEDD1FEA3B2B}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {E2B60925-3A4E-4748-BA9A-0FD83439835E}
EndGlobalSection
EndGlobal
60 changes: 60 additions & 0 deletions demos.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@

ACR_NAME=cayerscontainersdemo.azurecr.io
az group create --name rg-containers-demos --location eastus
az acr create --name cayerscontainersdemo -g rg-containers-demos -l eastus --sku Standard
az acr login -n cayerscontainersdemo

---

cd src/SampleApi
cd src/hello-containers

---

docker build . -t sampleapi:latest
docker run -it --rm -p 8080:8080 sampleapi:latest

--- size

docker run -it --rm --entrypoint /bin/bash sampleapi:latest

dotnet publish -t:PublishContainer -p ContainerImageTag=published
dotnet publish -t:PublishContainer -p ContainerImageTag=alpine -p ContainerFamily=alpine
dotnet publish -t:PublishContainer -p ContainerImageTag=chiseled -p ContainerFamily=jammy-chiseled

--- packages

docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0 | grep dotnet | wc -l
docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0 | grep deb | wc -l

docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled | grep dotnet | wc -l
docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled | grep deb | wc -l

--- security

docker run -it --rm --entrypoint /bin/bash hello-containers:latest

whoami
apt

docker run -it --rm --entrypoint /bin/bash --user root hello-containers:latest

---

wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb
sudo dpkg -i trivy_0.18.3_Linux-64bit.deb

trivy i hello-containers
trivy i hello-containers:alpine
trivy i hello-containers:chiseled

dotnet publish -t:PublishContainer -p ContainerImageTag=arm64 --arch arm64
docker run sampleapi:arm64

az acr build --registry $ACR_NAME --image test:v1 --file Dockerfile .

docker login cayerscontainersdemo.azurecr.io

az acr login -n $ACR_NAME
docker run -p 8080:8080 $ACR_NAME/test:v1

18 changes: 18 additions & 0 deletions slides/Slides.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,6 +491,24 @@ Identify security vulnerabilities and compliance issues in container images.
---
## Kubernetes Restricted Policy
The **Restricted** policy enhances security for critical applications by enforcing pod hardening practices.
```
spec:
securityContext:
runAsNonRoot: true
containers:
- name: aspnetapp
image: mcr.microsoft.com/dotnet/samples:aspnetapp-chiseled
ports:
- containerPort: 8080
```
[Learn more about Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)
---
# Demos
---
Expand Down

0 comments on commit 646f4bc

Please sign in to comment.