Wsks fix scripts output

Workshops/Kubernetes-Security/Stage-4-Policy-Reporter-Visualization.md

@@ -63,17 +63,6 @@ $ ./stage-4-policy-reporter-visualization.sh
 ═══════════════════════════════════════════════════════════
   Stage 4: Policy Reporter Visualization - Testing
 ═══════════════════════════════════════════════════════════
-
-ℹ Checking prerequisites...
-✓ Prerequisites check passed
-
-═══════════════════════════════════════════════════════════
-  Creating Test Environment
-═══════════════════════════════════════════════════════════
-
-ℹ Creating namespace policy-test...
-namespace/policy-test created
-✓ Namespace created
 ...
 ```
 
@@ -91,7 +80,7 @@ NAME                                   KIND   NAME                           PAS
 843dab32-08bc-41de-9af3-1234a84a365e   Pod    non-compliant-latest-tag       2      1      0      0       0      7s
 d7908844-98a5-446a-a170-8faacfdb2741   Pod    compliant-pod                  3      0      0      0       0      8s
 
-kubectl -n policy-test describe policyreport 5d653b12-8fe9-4e17-8464-551f35fb76d5
+$ kubectl -n policy-test describe policyreport 5d653b12-8fe9-4e17-8464-551f35fb76d5
 Name:         5d653b12-8fe9-4e17-8464-551f35fb76d5
 Namespace:    policy-test
 Labels:       app.kubernetes.io/managed-by=kyverno

Workshops/Kubernetes-Security/scripts/functions.source

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Function to print colored output
+print_info() {
+    echo -e "${BLUE}ℹ${NC} $1"
+}
+
+print_success() {
+    echo -e "${GREEN}✓${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}⚠${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}✗${NC} $1"
+}
+
+print_step() {
+    echo ""
+    echo -e "${GREEN}$1${NC}"
+    echo ""
+}
+
+print_header() {
+    echo ""
+    echo -e "${GREEN}═══════════════════════════════════════════════════════════${NC}"
+    echo -e "${GREEN}  $1${NC}"
+    echo -e "${GREEN}═══════════════════════════════════════════════════════════${NC}"
+    echo ""
+}
+
+check_kyverno() {
+    print_info "Checking Kyverno..."
+    if ! kubectl get namespace kyverno &> /dev/null; then
+        print_error 'Kyverno is not installed. Please install it first.'
+        echo 'To install Kyverno:'
+        echo 'helm repo add kyverno https://kyverno.github.io/kyverno/'
+        echo 'helm update'
+        echo 'helm upgrade --install kyverno kyverno/kyverno \'
+        echo '    --create-namespace --namespace kyverno'
+        echo '    --version 3.1.4'
+        exit 1
+    fi
+    print_success "Kyverno is present."
+}
+
+check_kyverno_policy_reporter() {
+    if ! kubectl get namespace policy-reporter &> /dev/null; then
+        print_error 'Policy Reporter is not installed. Please install it first.'
+        echo 'To install Kyverno Policy Reporter:'
+        echo 'helm repo add policy-reporter https://kyverno.github.io/policy-reporter'
+        echo 'helm update'
+        echo 'helm upgrade --install policy-reporter policy-reporter/policy-reporter \'
+        echo '    --create-namespace --namespace policy-reporter \'
+        echo '    --set ui.enabled=true \'
+        echo '    --set kyvernoPlugin.enabled=true \'
+        echo '    --set ui.plugins.kyverno=true'
+        exit 1
+    fi
+}

Workshops/Kubernetes-Security/scripts/stage-1-network-policies-namespaces.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+set -e
+
+source functions.source
+
+print_header "Stage 1: Network Policies Namespaces - Test"
+
+print_info "This script will test Pod isolation using a Network Policy."
+
+FRONTENDPOD=frontend
+EXTERNALPOD=external
+
+if [ "$1" == "clean" ]; then
+  print_step "Cleaning up things..."
+  kubectl delete --wait namespace backend frontend external
+  print_header "Cleanup complete."
+  exit 0
+fi
+
+print_step "Preparation"
+
+print_info "Creating namespaces..."
+kubectl create namespace backend
+kubectl create namespace frontend
+kubectl create namespace external
+print_success "Namespaces created."
+
+print_info "Creating backend deployment..."
+kubectl --namespace backend create deployment backend  --image nginx:latest
+kubectl wait --namespace backend --for=condition=ready pod --selector=app=backend --timeout=90s
+BACKENDIP=$(kubectl -n backend get pod -l app=backend -o jsonpath="{.items[0].status.podIP}")
+print_success "Deployment backend created."
+
+print_info "Running frontend Pod on frontend namespace..."
+kubectl -n frontend run $FRONTENDPOD --image=curlimages/curl:latest --restart=Never -- /bin/sh -c "while true; do sleep 3600; done"
+kubectl wait --namespace frontend --for=condition=ready pod --selector=run=$FRONTENDPOD --timeout=90s
+print_success "Pod frontend on frontend namespace created."
+
+print_info "Running external Pod on external namespace..."
+kubectl -n external run $EXTERNALPOD --image=curlimages/curl:latest --restart=Never -- /bin/sh -c "while true; do sleep 3600; done"
+kubectl wait --namespace external --for=condition=ready pod --selector=run=$EXTERNALPOD --timeout=90s
+print_success "Pod external on external namespace created."
+
+print_step "First check: connectivity should work for both frontend and external"
+
+print_info "Checking connectivity BEFORE NetworkPolicy (frontend)..."
+kubectl -n frontend exec -it $FRONTENDPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
+
+print_info "Checking connectivity BEFORE NetworkPolicy (external)..."
+kubectl -n external exec -it $EXTERNALPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
+
+print_step "Create Network Policy"
+
+print_info "Adding labels to namespaces..."
+kubectl label namespace frontend name=frontend
+kubectl label namespace backend name=backend
+kubectl label namespace external name=external
+print_success "Labels added"
+
+print_info "Creating Network Policy deny-all-except-frontend..."
+kubectl create -f - <<EOF
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-except-frontend
+  namespace: backend
+spec:
+  podSelector: {}  # applies to all pods in the backend namespace
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: frontend
+EOF
+print_success "Network Policy deny-all-except-frontend created"
+
+print_step "Second check: connectivity should work just for frontend"
+
+print_info "Checking connectivity AFTER NetworkPolicy (frontend)"
+kubectl -n frontend exec -it $FRONTENDPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
+
+print_info "Checking connectivity AFTER NetworkPolicy (external)"
+kubectl -n external exec -it $EXTERNALPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
+
+print_header "Test Complete"

Workshops/Kubernetes-Security/stage-2-use-default-network-policy-on-namespaces.sh → Workshops/Kubernetes-Security/scripts/stage-2-use-default-network-policy-on-namespaces.sh

@@ -1,16 +1,33 @@
 #!/bin/bash
 
-clean() {
-  kubectl delete --wait clusterpolicies add-namespace-name-label add-default-deny
-  kubectl delete --wait namespace backend frontend external
-}
+set -e
+
+source functions.source
+
+print_header "Stage 2: Default Network Policiy on Namespace - Test"
+
+print_info "This script will test a default Network Policy applied to a Namespace."
+
+FRONTENDPOD=frontend
+EXTERNALPOD=external
 
 if [ "$1" == "clean" ]; then
-  echo "Cleaning up things..."
-  clean
-  exit $?
+  print_step "Cleaning up things..."
+  kubectl delete --wait clusterpolicies add-namespace-name-label add-default-deny
+  kubectl delete --wait namespace backend frontend external
+  print_header "Cleanup complete."
+  exit 0
 fi
 
+print_step "Prerequisites"
+
+check_kyverno
+
+print_success "Prerequisites check passed"
+
+print_step "Preparation"
+
+print_info "Creating two Cluster Policies: add-namespace-name-label and add-default-deny..."
 kubectl create -f - <<EOF
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
@@ -53,28 +70,45 @@ spec:
           - Ingress
           - Egress
 EOF
+print_success "Cluster Policies created."
 
+print_info "Creating namespaces..."
 kubectl create namespace backend
 kubectl create namespace frontend
 kubectl create namespace external
+print_success "Namespaces created."
 
+print_info "Creating backend deployment..."
 kubectl --namespace backend create deployment backend  --image nginx:latest
 kubectl wait --namespace backend --for=condition=ready pod --selector=app=backend --timeout=90s
+BACKENDIP=$(kubectl -n backend get pod -l app=backend -o jsonpath="{.items[0].status.podIP}")
+print_success "Deployment backend created."
 
+print_info "Running frontend Pod on frontend namespace..."
 kubectl -n frontend run frontend --image=curlimages/curl:latest --restart=Never -- /bin/sh -c "while true; do sleep 3600; done"
+kubectl wait --namespace frontend --for=condition=ready pod --selector=run=$FRONTENDPOD --timeout=90s
+print_success "Pod frontend on frontend namespace created."
+
+print_info "Running external Pod on external namespace..."
 kubectl -n external run external --image=curlimages/curl:latest --restart=Never -- /bin/sh -c "while true; do sleep 3600; done"
+kubectl wait --namespace external --for=condition=ready pod --selector=run=$EXTERNALPOD --timeout=90s
+print_success "Pod external on external namespace created."
 
-BACKENDIP=$(kubectl -n backend get pod -l app=backend -o jsonpath="{.items[0].status.podIP}")
-FRONTENDPOD=$(kubectl -n frontend get pod -l run=frontend -o jsonpath='{.items[0].metadata.name}')
-EXTERNALPOD=$(kubectl -n external get pod -l run=external -o jsonpath='{.items[0].metadata.name}')
+print_step "First check: connectivity should NOT work for both frontend and external (because of the Cluster Policy)"
 
-sleep 3
+print_info "Checking connectivity BEFORE NetworkPolicy (frontend)..."
+kubectl -n frontend exec -it $FRONTENDPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
 
-echo -n "Before NetworkPolicy (frontend): "
-kubectl -n frontend exec -it $FRONTENDPOD -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 && echo REACHABLE || echo UNREACHABLE
-echo -n "Before NetworkPolicy (external): "
-kubectl -n external exec -it $EXTERNALPOD -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 && echo REACHABLE || echo UNREACHABLE
+print_info "Checking connectivity BEFORE NetworkPolicy (external)..."
+kubectl -n external exec -it $EXTERNALPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
 
+print_step "Create Network Policy"
+
+print_info "Creating Network Policy allow-ingress-egress-from-backend..."
 kubectl create -f - <<EOF
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -105,7 +139,9 @@ spec:
   - Ingress
   - Egress
 EOF
+print_success "Network Policy allow-ingress-egress-from-backend created"
 
+print_info "Creating Network Policy allow-ingress-from-frontend-and-egress-to-any..."
 kubectl create -f - <<EOF
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -134,8 +170,18 @@ spec:
   - Ingress
   - Egress
 EOF
+print_success "Network Policy allow-ingress-from-frontend-and-egress-to-any created"
+
+print_step "Second check: connectivity should work just for frontend (because of the Network Policy)"
+
+print_info "Checking connectivity AFTER NetworkPolicy (frontend)"
+kubectl -n frontend exec -it $FRONTENDPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
+
+print_info "Checking connectivity AFTER NetworkPolicy (external)"
+kubectl -n external exec -it $EXTERNALPOD \
+  -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 \
+  && print_success REACHABLE || print_error UNREACHABLE
 
-echo -n "After NetworkPolicy (frontend): "
-kubectl -n frontend exec -it $FRONTENDPOD -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 && echo REACHABLE || echo UNREACHABLE
-echo -n "After NetworkPolicy (external): "
-kubectl -n external exec -it $EXTERNALPOD -- curl -s --connect-timeout 5 $BACKENDIP > /dev/null 2>&1 && echo REACHABLE || echo UNREACHABLE
+print_header "Test Complete"