github.com/datadog/cilium@v1.6.12/examples/demo/sw_demo.sh

github.com/datadog/cilium@v1.6.12/examples/demo/sw_demo.sh (about)

     1  #!/usr/bin/env bash
     2  
     3  . $(dirname ${BASH_SOURCE})/../../contrib/shell/util.sh
     4  
     5  NETWORK="space"
     6  PWD=$(dirname ${BASH_SOURCE})
     7  
     8  function cleanup {
     9  	tmux kill-session -t my-session >/dev/null 2>&1
    10  	docker rm -f deathstar luke xwing_luke xwing fighter1 2> /dev/null || true
    11  	cilium policy delete --all 2> /dev/null
    12  }
    13  
    14  trap cleanup EXIT
    15  cleanup
    16  
    17  sleep 0.5
    18  desc_rate "A long time ago, in a container cluster far, far away...."
    19  desc_rate ""
    20  desc_rate "It is a period of civil war. The Empire has adopted"
    21  desc_rate "microservices and continuous delivery, despite this,"
    22  desc_rate "Rebel spaceships, striking from a hidden cluster, have"
    23  desc_rate "won their first victory against the evil Galactic Empire."
    24  desc_rate ""
    25  desc_rate "During the battle, Rebel spies managed to steal the"
    26  desc_rate "swagger API specification to the Empire's ultimate weapon,"
    27  desc_rate "the deathstar."
    28  run ""
    29  
    30  docker network rm $NETWORK > /dev/null 2>&1
    31  desc_rate "And so it begins..."
    32  run "docker network create --ipv6 --subnet ::1/112 --driver cilium --ipam-driver cilium $NETWORK"
    33  
    34  desc_rate "The empire begins constructing the death star by launching a container"
    35  run "docker run -dt --net=$NETWORK --name deathstar -l id.empire.deathstar cilium/starwars"
    36  
    37  desc_rate "In order for spaceships to land, the empire establishes"
    38  desc_rate "a network landing policy (L3/L4). It allows id.spaceship"
    39  desc_rate "to talk to id.deathstar."
    40  run "cat sw_policy_l4.json"
    41  run "cilium policy import sw_policy_l4.json"
    42  
    43  DEATHSTAR_IP4=$(docker inspect --format '{{ .NetworkSettings.Networks.space.IPAddress }}' deathstar)
    44  
    45  desc_rate "The empire wants to test landing permissions..."
    46  run "docker run -dt --net=$NETWORK --name fighter1 -l id.spaceship --add-host deathstar:$DEATHSTAR_IP4 tgraf/netperf"
    47  run "cilium endpoint list"
    48  
    49  desc "The spaceship issues a POST /v1/request-landing to the deathstar"
    50  run "docker exec -i fighter1 curl -si -XPOST http://deathstar/v1/request-landing"
    51  
    52  desc_rate "Spaceship has landed \o/. The empire celebrates."
    53  run ""
    54  desc_rate "In the meantime...."
    55  desc_rate ""
    56  desc_rate "The rebel alliance notices the construction of the death star"
    57  desc_rate "and sends a scout."
    58  run "docker run -dt --net=$NETWORK --name xwing -l id.spaceship --add-host deathstar:$DEATHSTAR_IP4 tgraf/netperf"
    59  desc_rate "It pings the the deathstar (L3 policy) ..."
    60  run "docker exec -i xwing ping -c 2 deathstar"
    61  desc_rate "... and then sends a GET /v1/ to the deathstar (L4 policy)"
    62  run "docker exec -i xwing curl -si -XGET http://deathstar/v1/"
    63  desc_rate "Wow..... the deathstar exposes the entire API..."
    64  desc_rate "Look at that thermal exhaust port, it seems vulnerable..."
    65  run ""
    66  desc_rate "In the meantime...."
    67  desc_rate "The SecOps team of the empire has detected the security"
    68  desc_rate "hole and deploys cilium HTTP policies:"
    69  run "cat sw_policy_http.json"
    70  run "cilium policy import sw_policy_http.real.json"
    71  
    72  desc_rate ""
    73  desc_rate "The rebels attack... they first ping ...."
    74  run "docker exec -i xwing ping -c 2 deathstar"
    75  desc_rate "... and will now attack the vulnerable API endpoint"
    76  desc_rate "by doing: curl -si -XPUT http://deathstar/v1/exhaust-port"
    77  run ""
    78  run "docker exec -i xwing curl -si -XPUT http://deathstar/v1/exhaust-port"
    79  
    80  desc_rate "Oh no! The shields are up. The rebel attack is ineffective".
    81  desc_rate ""
    82  desc_rate "End of demo."
    83  run ""
    84  
    85  desc_rate "The move of Empire SecOps was good but we can't end the"
    86  desc_rate "story like this."
    87  desc_rate ""
    88  desc_rate "Here is what you missed..."
    89  desc_rate ""
    90  desc_rate "The Jedi have foreseen this situation and manipulated the"
    91  
    92  desc_rate "L7 policy before it was installed."
    93  desc_rate ""
    94  desc_rate "Let's run diff on the policy that was actually loaded..."
    95  run "diff -Nru sw_policy_http.json sw_policy_http.real.json"
    96  
    97  desc_rate "The policy allows an HTTP request to pass through if the"
    98  desc_rate "HTTP header 'X-Has-Force: true' is set"
    99  run ""
   100  run "docker run -dt --net=$NETWORK --name xwing_luke -l id.spaceship --add-host deathstar:$DEATHSTAR_IP4 tgraf/netperf"
   101  run ""
   102  run "docker exec -i xwing_luke curl -si -H 'X-Has-Force: true' -XPUT http://deathstar/v1/exhaust-port/"
   103  
   104  desc_rate "Luke watches the deathstar explode..."
   105  run "docker exec -i xwing_luke ping deathstar"
   106  
   107  #tmux new -d -s my-session \
   108  #    "$PWD/starwars_top.sh" \; \
   109  #    split-window -v -d "$PWD/starwars_bottom.sh" \; \
   110  #    attach \;
   111  
   112  desc "Cleaning up demo environment"