Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Kubernetes Security Demos

Demos for several kubernetes security features


Initially, these demos were developed during the preparation for some talks on Kubernetes appOps Security and our K8s application security training.

See also our series of blog posts on the topic.

Tested to run on Google Kubernetes Engine (GKE) with a local Linux machine.
Should also work on Mac.
Should run on all clusters that support NetworkPolicies and PodSecurityPolicies.

  1. Role Based Access Controll (RBAC) - RBAC has now been default for years. A showcase for the downsides of ABAC seems obsolete. If you're interested check git history.
  2. Network Policies
  3. Security Context
  4. Pod Security Policies

Running the demos

Each demo is contained in its own sub folder, where each contains a

  • that deploys the applications required for the demos and
  • that contains the steps of the demo

Note that the scripts also create entries to your /etc/hosts.

All Demos run inside the same cluster. Before running make sure to have your kubeconfig set to a non-productive cluster. If you want, you can set one up on your GKE account using the script inside this repo. See Setting up the clusters.


If not otherwise stated, the login credentials for the webapps are

  • User: admin
  • Password: 12345

It's a demo after all! 😉

Demo recordings

Security Context


Recorded live at heiseDevSec 2020.

Blog Posts

The examples evolved further while working on an article series called "Kubernetes AppOps Security" published in German Magazin JavaSPEKTRUM. Both English translation and German original can be found on the Cloudogu Blog.

Setting up the clusters

This demos should run on most kubernetes clusters that have support for NetworkPolicies and PodSecurityPolicies.

This repo also features setting up a defined environment Google Kubernetes engine. You can set it up using
It uses terraform to roll out the clusters. If you prefer a bash-only variant, check git history.

In order to use the script

  • set your GKE ZONE and PROJECT in
    (alternatively, you can set these properties via env vars).
    Note that you can also set CLUSTER_VERSION (like 1.11) and MACHINE_TYPE (like n1-standard-2). From time to time GKE drops support for older cluster versions, so you might need to set a newer one, if the one in is no longer supported at the time of execution.
  • set up a service account on GKE that allows terraform to do the setup

# Create SA
gcloud iam service-accounts create ${SA} --display-name ${SA} --project ${PROJECT}

# Authorize (maybe roles/container.admin is enough?) 
gcloud projects add-iam-policy-binding ${PROJECT} \
  --member serviceAccount:${SA}@${PROJECT} --role=roles/editor

# Export credentials
gcloud iam service-accounts keys create \
  --iam-account ${SA}@${PROJECT} terraform/account.json
  • Have terraform installed (should work with 0.12 and 0.13)
  • Call ./create
  • Terraform will ask for confirmation before executing.
    If you don't want that, call ./ -auto-approve

Deleting clusters

You can delete the cluster and entries to /etc/hosts once you're done using the ./ script.


For just a quick create, demo, delete action the cost should be < 10$. The total infra cost for initially creating these demos was about 10$.