A CTFd plugin to deploy per-user instances using Kubernetes. The plugin is based on frankli0324/ctfd-whale.
It is only developed and tested on AWS EKS so far, so it needs some other modifications to work on other Kubernetes clusters.
The setup is only tested on Learner Lab account from AWS Academy, which only have a
LabRoleto connect each others. To use it on regular AWS account you need to setup IAM roles manually.
- A EKS cluster
- A ECR repository
- A EC2 Server
Need to attach
LabRoleto the EC2 instance.
- Install Docker and Docker Compose
- Clone this repo to
~/deploy - Setup AWS credentials:
TOKEN=`curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-da
ta/iam/security-credentials/LabRole | jq -r '"[default]\naws_access_key_id=\(.AccessKeyId)\naws_secret_access_key=\(.Sec
retAccessKey)\naws_session_token=\(.Token)\n"' > ~/.aws/credentials
mkdir -p ~/deploy/secrets
cat ~/.aws/credentials > ~/deploy/secrets/aws_credentials
aws eks list-clusters --region us-east-1 # Testing- Add a DNS A record on a custom domain pointing to EC2 (for HTTPS) and change the domain name in
~/deploy/user_conf.d/ctfd.conf - cd to
~/deploy/CTFdanddocker compose up -d - Navigate to the domain name and setup CTFd
If you don't have a custom domain, you can modify
~/deploy/CTFd/docker-compose.ymlto use the originalnginxinstead. Then you can access your CTFd viahttp://ec2-?????.compute-1.amazonaws.com..
eval `aws ecr get-login --region us-east-1 | sed 's/-e none//'`Take challenge-hello-world for example.
ECRHOST=?????.dkr.ecr.us-east-1.amazonaws.com # Change this
docker build . -t $ECRHOST/challenge-registry:challenge-hello-world
docker push $ECRHOST/challenge-registry:challenge-hello-world- Go to admin panel
- Create new challenge > select
dynamic_kubernetes - Fill other form fields.
- Copy the content of challenge-template.yaml; to Kubernetes Config Template field.
- Create
P.S. Do not fill static flag if you need to use dynamicly generated flag
Ensure that your node group is allowed to have more than 1 nodes, then
curl -O https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml
sed -i 's/<YOUR CLUSTER NAME>/YOUR_EKS_CLUSTER_NAME_HERE/' cluster-autoscaler-autodiscover.yaml
kubectl apply -f cluster-autoscaler-autodiscover.yamlTo test, you can try create a lot of challenge instances with control.py:
for i in $(seq 1 20); do python control.py ./challenge-hello-world/challenge-template.yaml $i apply; done