diff --git a/auth-setup.sh b/auth-setup.sh new file mode 100755 index 0000000..841da06 --- /dev/null +++ b/auth-setup.sh @@ -0,0 +1,42 @@ +#!/bin/sh + +#set vars +#codebytes +githubOrganizationName=$(echo $(git remote get-url origin) | cut -f4 -d"/") +#secure-terraform-on-azure +githubRepositoryName=$(basename -s .git `git config --get remote.origin.url`) + +#create app registration +applicationRegistrationDetails=$(az ad app create --display-name "${githubRepositoryName}") +applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id') +applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId') + +#created federated creds +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}" +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-env-dev\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dev\",\"audiences\":[\"api://AzureADTokenExchange\"]}" +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}" +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-branch-main\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}" + +az ad sp create --id $applicationRegistrationObjectId + +AZURE_CLIENT_ID=$applicationRegistrationAppId +AZURE_TENANT_ID=$(az account show --query tenantId --output tsv) +AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv) + +az role assignment create --assignee $applicationRegistrationAppId --role Contributor --scope "/subscriptions/$AZURE_SUBSCRIPTION_ID" + +echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID" +echo "AZURE_TENANT_ID: $AZURE_TENANT_ID" +echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID" + +gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID" +gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID" +gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID" diff --git a/containerizing-dotnet.sln b/containerizing-dotnet.sln new file mode 100644 index 0000000..6500118 --- /dev/null +++ b/containerizing-dotnet.sln @@ -0,0 +1,37 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.5.002.0 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{E7035618-F471-4A35-8C03-EEDD1FEA3B2B}" +EndProject +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hello-containers", "src\hello-containers\hello-containers.csproj", "{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}" +EndProject +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SampleApi", "src\SampleApi\SampleApi.csproj", "{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Debug|Any CPU.Build.0 = Debug|Any CPU + {7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Release|Any CPU.ActiveCfg = Release|Any CPU + {7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Release|Any CPU.Build.0 = Release|Any CPU + {E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Debug|Any CPU.Build.0 = Debug|Any CPU + {E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Release|Any CPU.ActiveCfg = Release|Any CPU + {E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(NestedProjects) = preSolution + {7064BCB9-4EC3-4D52-B112-D6C0527B92F3} = {E7035618-F471-4A35-8C03-EEDD1FEA3B2B} + {E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1} = {E7035618-F471-4A35-8C03-EEDD1FEA3B2B} + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E2B60925-3A4E-4748-BA9A-0FD83439835E} + EndGlobalSection +EndGlobal diff --git a/demos.md b/demos.md new file mode 100644 index 0000000..3bcbd1c --- /dev/null +++ b/demos.md @@ -0,0 +1,60 @@ + +ACR_NAME=cayerscontainersdemo.azurecr.io +az group create --name rg-containers-demos --location eastus +az acr create --name cayerscontainersdemo -g rg-containers-demos -l eastus --sku Standard +az acr login -n cayerscontainersdemo + +--- + +cd src/SampleApi +cd src/hello-containers + +--- + +docker build . -t sampleapi:latest +docker run -it --rm -p 8080:8080 sampleapi:latest + +--- size + +docker run -it --rm --entrypoint /bin/bash sampleapi:latest + +dotnet publish -t:PublishContainer -p ContainerImageTag=published +dotnet publish -t:PublishContainer -p ContainerImageTag=alpine -p ContainerFamily=alpine +dotnet publish -t:PublishContainer -p ContainerImageTag=chiseled -p ContainerFamily=jammy-chiseled + +--- packages + +docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0 | grep dotnet | wc -l +docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0 | grep deb | wc -l + +docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled | grep dotnet | wc -l +docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled | grep deb | wc -l + +--- security + +docker run -it --rm --entrypoint /bin/bash hello-containers:latest + +whoami +apt + +docker run -it --rm --entrypoint /bin/bash --user root hello-containers:latest + +--- + +wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb +sudo dpkg -i trivy_0.18.3_Linux-64bit.deb + +trivy i hello-containers +trivy i hello-containers:alpine +trivy i hello-containers:chiseled + +dotnet publish -t:PublishContainer -p ContainerImageTag=arm64 --arch arm64 +docker run sampleapi:arm64 + +az acr build --registry $ACR_NAME --image test:v1 --file Dockerfile . + +docker login cayerscontainersdemo.azurecr.io + +az acr login -n $ACR_NAME +docker run -p 8080:8080 $ACR_NAME/test:v1 + diff --git a/slides/Slides.md b/slides/Slides.md index 343d7db..e1b4cf4 100644 --- a/slides/Slides.md +++ b/slides/Slides.md @@ -491,6 +491,24 @@ Identify security vulnerabilities and compliance issues in container images. --- +## Kubernetes Restricted Policy +The **Restricted** policy enhances security for critical applications by enforcing pod hardening practices. + +``` + spec: + securityContext: + runAsNonRoot: true + containers: + - name: aspnetapp + image: mcr.microsoft.com/dotnet/samples:aspnetapp-chiseled + ports: + - containerPort: 8080 +``` + +[Learn more about Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) + +--- + # Demos ---