We welcome the player and ask him whether he/she is good and Kubernetes troubleshooting. We tell them that there is a simple Kubernetes cluster that runs a Postgresql database that contains user credentials.
We received reports recently that the credentials may have been leaked. More and more users are complaining about “hacked” accounts.
Your task is to verify the system from security perspective.
We give the user a laptop, with kubectl and k9s installed. They
have admin access. They will probably check the pods, the logs, but
there is nothing suspicious.
We give them the following hints:
- No one can access the database except for us.
- The system is highly secured. An external firewall is in place. Nobody can access the database from the outside.
- We have recently reinstalled the host operating system. There can be no virus there.
- Before the incident, we performed a Postgresql version upgrade.
The user will unable to find the security issue.
We will present the user the Whisker dashboard. The user will play with it. With our help, they will find a suspicious outgoing connection:
If the player is interested, we can help them to provision a network policy that prevents the communication to the public internet.
These preparations help to give a demo in an unreliable-network environment.
Disable the firewall on the host.
Create a dummy network interface with the name whisker.
sudo ip link add dev whisker type dummy
sudo ip addr add 3.14.137.65/28 dev whiskerYou can build the image with the following command.
docker build 2025/postgresql/ -t postgresql/postgresql:16Save the image.
docker save postgresql/postgresql:16 -o postgres_16.tarYou can generate the Postgres deployment manifest with the following command.
helm template postgres \
--repo https://groundhog2k.github.io/helm-charts \
--namespace postgres \
--create-namespace \
-f postgres-values.yaml \
--version 1.5.7 > postgres.yamlDownload the Calico manifest files:
curl -LO https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/operator-crds.yaml
curl -LO https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/tigera-operator.yaml
curl -LO https://raw.githubusercontent.com/projectcalico/calico/v3.30.3/manifests/custom-resources.yamlThen update custom-resources.yaml so that the
spec.calicoNetwork.ipPools.[0].cidr field has the value
192.168.101.0 in the Installation resource.
VERSION="v3.30.3"
IMAGES=("typha" "kube-controllers" "node" "csi")
for IMAGE in ${IMAGES[@]}
do
echo "Saving ${IMAGE}:${VERSION}"
docker pull "docker.io/calico/${IMAGE}:${VERSION}"
docker save "docker.io/calico/${IMAGE}:${VERSION}" -o "${IMAGE}.tar"
done
VERSION="v1.38.6"
echo "Saving operator:${VERSION}"
docker pull "quay.io/tigera/operator:${VERSION}"
docker save "quay.io/tigera/operator:${VERSION}" -o operator.tar
sudo nc -kl 3.14.137.65 137 | pv > /dev/nullkind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
networking:
disableDefaultCNI: true
podSubnet: 192.168.101.0/24kind create cluster --name whisker-the-game --config kind-config.yamlThen check the cluster state:
kubectl cluster-infoIMAGES=("typha" "kube-controllers" "node" "csi" "operator" "postgres_16")
for IMAGE in ${IMAGES[@]}
do
echo "Uploading ${IMAGE}"
kind load image-archive "${IMAGE}.tar" \
--name whisker-the-game \
--nodes whisker-the-game-control-plane,whisker-the-game-worker,whisker-the-game-worker2
donekubectl create -f operator-crds.yaml
kubectl create -f tigera-operator.yamlkubectl create ns calico-system
kubectl create -f custom-resources.yamlkubectl create ns postgres --dry-run=client -o yaml | kubectl apply -f -
kubectl apply -f postgres.yamlkind delete cluster --name whisker-the-game