diff --git a/README.MD b/README.MD
index 6c27ba0d..c9d4ff4c 100644
--- a/README.MD
+++ b/README.MD
@@ -79,7 +79,7 @@ Every command should be run from the project's root directory.
CKA
### cka task
-- ``TASK=01 make run_cka_task`` - create cka [hands-on labs](tasks%2Fcka%2Flabs) [number 01](tasks%2Fcka%2Flabs%2F01)
+- ``TASK=01 make run_cka_task`` - create cka [hands-on labs](docs%2Flabs.MD#cka-labs) number 01
- ``TASK=01 make delete_cka_task`` - delete cka hands-on labs
- ``TASK=01 make run_cka_task_clean`` - run cka_task with clean terragrunt cache for cka_task
- ``make output_cka_task `` - show **outputs** from **cka_task**
@@ -106,7 +106,7 @@ Every command should be run from the project's root directory.
CKS
### cks task
-- ``TASK=10 make run_cks_task`` - create cks [hands-on labs](tasks%2Fcks%2Flabs) [number 10](tasks%2Fcks%2Flabs%2F10)
+- ``TASK=10 make run_cks_task`` - create cks [hands-on labs](docs%2Flabs.MD#cks-labs) number 10
- ``TASK=10 make delete_cks_task`` - delete cks hands-on labs
- ``TASK=10 make run_cks_task_clean`` - run cks_task with clean terragrunt cache for cks_task
- ``make output_cks_task `` - show **outputs** from **cks_task**
@@ -149,7 +149,7 @@ Every command should be run from the project's root directory.
CKA hands-on lab
-- choose [a hands-on lab](tasks%2Fcka%2Flabs) number
+- choose [a hands-on lab](docs%2Flabs.MD#cka-labs) number
- create cka lab cluster ``TASK={lab_number} make run_cka_task``
- find {master_external_ip} in terraform output
- log in to master node via ssh ``ssh ubuntu@{master_external_ip} -i {key}``
@@ -183,7 +183,7 @@ Every command should be run from the project's root directory.
CKS hands-on lab
-- choose [CKS lab](tasks%2Fcks%2Flabs%2FREADME.MD) number
+- choose [CKS lab](docs%2Flabs.MD#cks-labs) number
- change **ami_id** in ``{lab_number}/scripts/terragrunt.hcl`` if you changed **region**
- create cka lab cluster ``TASK={lab_number} make run_cks_task``
- find {master_external_ip} in terraform output
@@ -261,7 +261,7 @@ Every command should be run from the project's root directory.
EKS hands-on lab
-- choose [labs](tasks%2Feks%2Flabs) number
+- choose [labs](docs%2Flabs.MD#eks-labs) number
- create hands-on lab `` TASK={lab_number} make run_eks_task ``
- find ``worker_pc_ip`` in ``terraform output``
- log in to worker_pc node via ssh ``ssh ubuntu@{worker_pc_ip} -i {key}``
diff --git a/docs/labs.MD b/docs/labs.MD
new file mode 100644
index 00000000..46460473
--- /dev/null
+++ b/docs/labs.MD
@@ -0,0 +1,70 @@
+## CKS labs
+- ``TASK=01 make run_cks_task`` - create cks lab number 01
+- ``TASK=01 make delete_cks_task`` - delete cks hands-on labs
+- ``TASK=01 make run_cks_task_clean`` - run cks_task with clean terragrunt cache for cks_task
+- ``make output_cks_task `` - show **outputs** from **cks_task**
+
+
+
+| Task | Description | Solution |
+|--------|------------------------------------------------------|------------------------------|
+| **01** | [kubectl contexts](..%2Ftasks%2Fcks%2Flabs%2F01%2FREADME.MD)| [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F01%2FSOLUTION.MD) |
+| **02** | [Falco, sysdig](..%2Ftasks%2Fcks%2Flabs%2F02%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F02%2FSOLUTION.MD) |
+| **03** | [Kube-api. disable access via nodePort](..%2Ftasks%2Fcks%2Flabs%2F03%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F03%2FSOLUTION.MD) |
+| **04** | [Pod Security Standard](..%2Ftasks%2Fcks%2Flabs%2F04%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F04%2FSOLUTION.MD) |
+| **05** | [CIS Benchmark](..%2Ftasks%2Fcks%2Flabs%2F05%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F05%2FSOLUTION.MD) |
+| **07** | [Open Policy Agent - Blacklist Images](..%2Ftasks%2Fcks%2Flabs%2F07%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F07%2FSOLUTION.MD) |
+| **09** | [AppArmor](..%2Ftasks%2Fcks%2Flabs%2F09%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F09%2FSOLUTION.MD) |
+| **10** | [Container Runtime Sandbox gVisor](..%2Ftasks%2Fcks%2Flabs%2F10%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F10%2FSOLUTION.MD) |
+| **11** | [Read the complete Secret content directly from ETCD](..%2Ftasks%2Fcks%2Flabs%2F11%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F11%2FSOLUTION.MD) |
+| **17** | [Enable audit log](..%2Ftasks%2Fcks%2Flabs%2F17%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F17%2FSOLUTION.MD) |
+| **19** | [Fix Dockerfile](..%2Ftasks%2Fcks%2Flabs%2F19%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F19%2FSOLUTION.MD) |
+| **20** | [Update Kubernetes cluster](..%2Ftasks%2Fcks%2Flabs%2F20%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F20%2FSOLUTION.MD) |
+| **21** | [Image Vulnerability Scanning](..%2Ftasks%2Fcks%2Flabs%2F21%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F21%2FSOLUTION.MD) |
+| **22** | [Network policy](..%2Ftasks%2Fcks%2Flabs%2F22%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F22%2FSOLUTION.MD) |
+| **23** | [Set tls version and allowed ciphers for etcd, kube-api](..%2Ftasks%2Fcks%2Flabs%2F23%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F23%2FSOLUTION.MD) |
+| **24** | [Encrypt secrets in ETCD](..%2Ftasks%2Fcks%2Flabs%2F24%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F24%2FSOLUTION.MD) |
+| **25** | [Image policy webhook](..%2Ftasks%2Fcks%2Flabs%2F25%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcks%2Flabs%2F25%2FSOLUTION.MD) |
+
+
+
+## CKA labs
+
+- ``TASK=01 make run_cka_task`` - create cka lab number 01
+- ``TASK=01 make delete_cka_task`` - delete cka hands-on labs
+- ``TASK=01 make run_cka_task_clean`` - run cka_task with clean terragrunt cache for cka_task
+- ``make output_cka_task `` - show **outputs** from **cka_task**
+
+
+| Task | Description | Solution |
+|--------|----------------------------------------------------|------------------------------|
+| **02** | [Horizontal Pod Autoscaling .CPU ](..%2Ftasks%2Fcka%2Flabs%2F02%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcka%2Flabs%2F02%2Fworker%2Ffiles%2Fsolutions%2F1.MD) |
+
+
+
+## CKAD labs
+
+- ``TASK=01 make run_ckad_task`` - create ckad lab number 01
+- ``TASK=01 make delete_ckad_task`` - delete ckad hands-on labs
+- ``TASK=01 make run_ckad_task_clean`` - run cka_task with clean terragrunt cache for ckad_task
+- ``make output_ckad_task `` - show **outputs** from **ckad_task**
+
+
+| Task | Description | Solution |
+|--------|---------------------------------------------------|------------------------------|
+| **01** | [test ](..%2Ftasks%2Fcka%2Flabs%2F02%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcka%2Flabs%2F02%2Fworker%2Ffiles%2Fsolutions%2F1.MD) |
+
+
+
+
+## EKS labs
+
+- ``TASK=01 make run_eks_task`` - create ckad lab number 01
+- ``TASK=01 make delete_eks_task`` - delete ckad hands-on labs
+- ``TASK=01 make run_eks_task_clean`` - run cka_task with clean terragrunt cache for ckad_task
+- ``make output_eks_task `` - show **outputs** from **ckad_task**
+
+
+| Task | Description | Solution |
+|--------|---------------------------------------------------|------------------------------|
+| **01** | [test ](..%2Ftasks%2Fcka%2Flabs%2F02%2FREADME.MD) | [SOLUTION](..%2Ftasks%2Fcka%2Flabs%2F02%2Fworker%2Ffiles%2Fsolutions%2F1.MD) |
diff --git a/tasks/cka/labs/01/README.MD b/tasks/cka/labs/01/README.MD
deleted file mode 100644
index 7f9b43d3..00000000
--- a/tasks/cka/labs/01/README.MD
+++ /dev/null
@@ -1,7 +0,0 @@
-Task weight: 3%
-
-You received a list from the DevSecOps team which performed a security investigation of the k8s cluster1 ( workload-prod ). The list states the
-following about the apiserver setup:
-Accessible through a NodePort Service
-Change the apiserver setup so that:
-Only accessible through a ClusterIP Service
diff --git a/tasks/cka/labs/01/SOLUTION.MD b/tasks/cka/labs/01/SOLUTION.MD
deleted file mode 100644
index ba8af6bf..00000000
--- a/tasks/cka/labs/01/SOLUTION.MD
+++ /dev/null
@@ -1,13 +0,0 @@
-In order to modify the parameters for the apiserver, we first ssh into the master node and check which parameters the apiserver process is
-running with:
-
-````
-# ssh to master node
-ps aux | grep kube-apiserver
-# find path to static posds manifest
-
-#edit api pod manifest
-# delete --kubernetes-service-node-port=31000
-# delete service
-kubectl delete svc kubernetes
-````
diff --git a/tasks/cka/labs/01/scripts/kube-apiserver.yaml b/tasks/cka/labs/01/scripts/kube-apiserver.yaml
deleted file mode 100644
index 17ecb9c1..00000000
--- a/tasks/cka/labs/01/scripts/kube-apiserver.yaml
+++ /dev/null
@@ -1,120 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
- annotations:
- kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.2.21.70:6443
- creationTimestamp: null
- labels:
- component: kube-apiserver
- tier: control-plane
- name: kube-apiserver
- namespace: kube-system
-spec:
- containers:
- - command:
- - kube-apiserver
- - --advertise-address=10.2.21.70
- - --allow-privileged=true
- - --authorization-mode=Node,RBAC
- - --client-ca-file=/etc/kubernetes/pki/ca.crt
- - --enable-admission-plugins=NodeRestriction
- - --enable-bootstrap-token-auth=true
- - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- - --etcd-servers=https://127.0.0.1:2379
- - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- - --requestheader-allowed-names=front-proxy-client
- - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- - --requestheader-extra-headers-prefix=X-Remote-Extra-
- - --requestheader-group-headers=X-Remote-Group
- - --requestheader-username-headers=X-Remote-User
- - --secure-port=6443
- - --kubernetes-service-node-port=31000
- - --service-account-issuer=https://kubernetes.default.svc.cluster.local
- - --service-account-key-file=/etc/kubernetes/pki/sa.pub
- - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- - --service-cluster-ip-range=10.96.0.0/12
- - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- image: registry.k8s.io/kube-apiserver:v1.26.0
- imagePullPolicy: IfNotPresent
- livenessProbe:
- failureThreshold: 8
- httpGet:
- host: 10.2.21.70
- path: /livez
- port: 6443
- scheme: HTTPS
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 15
- name: kube-apiserver
- readinessProbe:
- failureThreshold: 3
- httpGet:
- host: 10.2.21.70
- path: /readyz
- port: 6443
- scheme: HTTPS
- periodSeconds: 1
- timeoutSeconds: 15
- resources:
- requests:
- cpu: 250m
- startupProbe:
- failureThreshold: 24
- httpGet:
- host: 10.2.21.70
- path: /livez
- port: 6443
- scheme: HTTPS
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 15
- volumeMounts:
- - mountPath: /etc/ssl/certs
- name: ca-certs
- readOnly: true
- - mountPath: /etc/ca-certificates
- name: etc-ca-certificates
- readOnly: true
- - mountPath: /etc/kubernetes/pki
- name: k8s-certs
- readOnly: true
- - mountPath: /usr/local/share/ca-certificates
- name: usr-local-share-ca-certificates
- readOnly: true
- - mountPath: /usr/share/ca-certificates
- name: usr-share-ca-certificates
- readOnly: true
- hostNetwork: true
- priorityClassName: system-node-critical
- securityContext:
- seccompProfile:
- type: RuntimeDefault
- volumes:
- - hostPath:
- path: /etc/ssl/certs
- type: DirectoryOrCreate
- name: ca-certs
- - hostPath:
- path: /etc/ca-certificates
- type: DirectoryOrCreate
- name: etc-ca-certificates
- - hostPath:
- path: /etc/kubernetes/pki
- type: DirectoryOrCreate
- name: k8s-certs
- - hostPath:
- path: /usr/local/share/ca-certificates
- type: DirectoryOrCreate
- name: usr-local-share-ca-certificates
- - hostPath:
- path: /usr/share/ca-certificates
- type: DirectoryOrCreate
- name: usr-share-ca-certificates
diff --git a/tasks/cka/labs/01/scripts/master.sh b/tasks/cka/labs/01/scripts/master.sh
deleted file mode 100644
index 4e3de479..00000000
--- a/tasks/cka/labs/01/scripts/master.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-echo " *** master node "
-curl "https://raw.githubusercontent.com/ViktorUJ/cks/master/tasks/cks/03/scripts/kube-apiserver.yaml" -o "kube-apiserver.yaml"
-cp kube-apiserver.yaml /etc/kubernetes/manifests/
-echo "*** change kube api config "
-sleep 30
-kubectl get node --kubeconfig=/root/.kube/config
-while test $? -gt 0
- do
- sleep 5
- echo "Trying again..."
- kubectl get node --kubeconfig=/root/.kube/config
- done
-date
-echo "*** delete svc kubernetes "
-kubectl delete svc kubernetes --kubeconfig=/root/.kube/config
diff --git a/tasks/cka/labs/01/scripts/terragrunt.hcl b/tasks/cka/labs/01/scripts/terragrunt.hcl
deleted file mode 100644
index 594d1938..00000000
--- a/tasks/cka/labs/01/scripts/terragrunt.hcl
+++ /dev/null
@@ -1,100 +0,0 @@
-include {
- path = find_in_parent_folders()
-}
-
-locals {
- vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-}
-
-terraform {
- #source = "git::git@github.com:ViktorUJ/cks.git//terraform/modules/k8s_self_managment/?ref=task_01"
- source = "../../..//modules/k8s_self_managment/"
-
- extra_arguments "retry_lock" {
- commands = get_terraform_commands_that_need_locking()
- arguments = ["-lock-timeout=20m"]
- }
-
-}
-
-dependency "vpc" {
- config_path = "../vpc"
-}
-
-inputs = {
- region = local.vars.locals.region
- aws = local.vars.locals.aws
- prefix = local.vars.locals.prefix
- tags_common = local.vars.locals.tags
- app_name = "k8s"
- subnets_az = dependency.vpc.outputs.subnets_az_cmdb
- vpc_id = dependency.vpc.outputs.vpc_id
- cluster_name = "k8s1"
- node_type = "spot" #"ondemand" "spot"
- k8s_master = {
- k8_version = "1.26.0"
- runtime = "cri-o" # docker , cri-o , containerd ( need test it )
- runtime_script = "template/runtime.sh"
- instance_type = "t3.medium"
- key_name = "cks"
- ami_id = "ami-06410fb0e71718398"
- # ubuntu : 20.04 LTS ami-06410fb0e71718398 22.04 LTS ami-00c70b245f5354c0a
- subnet_number = "0"
- user_data_template = "template/master.sh"
- pod_network_cidr = "10.0.0.0/16"
- cidrs = ["0.0.0.0/0"]
- eip = "true"
- utils_enable = "false"
- task_script_url = "https://raw.githubusercontent.com/ViktorUJ/cks/fix_links/tasks/cka/01/scripts/master.sh"
- calico_url = "https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/calico.yaml"
- ssh = {
- private_key = ""
- pub_key = ""
- }
- root_volume = {
- type = "gp3"
- size = "12"
- }
- }
- k8s_worker = {
- # we can configure each node independently
- # "node_1" = {
- # k8_version = "1.25.0"
- # instance_type = "t3.medium"
- # key_name = "cks"
- # ami_id = "ami-00c70b245f5354c0a"
- # subnet_number = "0"
- # user_data_template = "template/worker.sh"
- # runtime = "cri-o"
- # runtime_script = "template/runtime.sh"
- # task_script_url = "https://raw.githubusercontent.com/ViktorUJ/cks/task_01/tasks/cks/03/scripts/worker.sh"
- # node_labels = "work_type=falco,aws_scheduler=true"
- # cidrs = ["0.0.0.0/0"]
- # root_volume = {
- # type = "gp3"
- # size = "20"
- # }
- # }
-
- # "node_2" = {
- # k8_version = "1.26.0"
- # instance_type = "t3.medium"
- # key_name = "cks"
- # ami_id = "ami-00c70b245f5354c0a"
- # subnet_number = "0"
- # user_data_template = "template/worker.sh"
- # runtime = "cri-o"
- # runtime_script = "template/runtime.sh"
- # task_script_url = ""
- # node_labels = "work_type=infra_core,aws_scheduler=true"
- #
- # cidrs = ["0.0.0.0/0"]
- # root_volume = {
- # type = "gp3"
- # size = "20"
- # }
- # }
- #
-
- }
-}
diff --git a/tasks/cka/labs/01/scripts/worker.sh b/tasks/cka/labs/01/scripts/worker.sh
deleted file mode 100644
index 68f72246..00000000
--- a/tasks/cka/labs/01/scripts/worker.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-echo " *** worker node "
diff --git a/tasks/cka/labs/README.MD b/tasks/cka/labs/README.MD
new file mode 100644
index 00000000..ef31c23c
--- /dev/null
+++ b/tasks/cka/labs/README.MD
@@ -0,0 +1,3 @@
+## [CKA labs list ](..%2F..%2F..%2Fdocs%2Flabs.MD#cka-labs)
+
+
diff --git a/tasks/cks/labs/README.MD b/tasks/cks/labs/README.MD
index 0856afeb..df2c2c2d 100644
--- a/tasks/cks/labs/README.MD
+++ b/tasks/cks/labs/README.MD
@@ -1,20 +1,3 @@
-## CKS labs
-| Task | Description | Solution |
-|----------|--------------------------------------------------------------------------|------------------------------|
-| [01](01) | [kubectl contexts](01%2FREADME.MD) | [SOLUTION](01%2FSOLUTION.MD) |
-| [02](02) | [Falco, sysdig](02%2FREADME.MD) | [SOLUTION](02%2FSOLUTION.MD) |
-| [03](03) | [Kube-api. disable access via nodePort](03%2FREADME.MD) | [SOLUTION](03%2FSOLUTION.MD) |
-| [04](04) | [Pod Security Standard](04%2FREADME.MD) | [SOLUTION](04%2FSOLUTION.MD) |
-| [05](05) | [CIS Benchmark](05%2FREADME.MD) | [SOLUTION](05%2FSOLUTION.MD) |
-| [07](07) | [Open Policy Agent - Blacklist Images](07%2FREADME.MD) | [SOLUTION](07%2FSOLUTION.MD) |
-| [09](09) | [AppArmor](09%2FREADME.MD) | [SOLUTION](09%2FSOLUTION.MD) |
-| [10](10) | [Container Runtime Sandbox gVisor](10%2FREADME.MD) | [SOLUTION](10%2FSOLUTION.MD) |
-| [11](11) | [Read the complete Secret content directly from ETCD](11%2FREADME.MD) | [SOLUTION](11%2FSOLUTION.MD) |
-| [17](17) | [Enable audit log](17%2FREADME.MD) | [SOLUTION](17%2FSOLUTION.MD) |
-| [19](19) | [Fix Dockerfile](19%2FREADME.MD) | [SOLUTION](19%2FSOLUTION.MD) |
-| [20](20) | [Update Kubernetes cluster](20%2FREADME.MD) | [SOLUTION](20%2FSOLUTION.MD) |
-| [21](21) | [Image Vulnerability Scanning](21%2FREADME.MD) | [SOLUTION](21%2FSOLUTION.MD) |
-| [22](22) | [Network policy](22%2FREADME.MD) | [SOLUTION](22%2FSOLUTION.MD) |
-| [23](23) | [Set tls version and allowed ciphers for etcd, kube-api](23%2FREADME.MD) | [SOLUTION](23%2FSOLUTION.MD) |
-| [24](24) | [Encrypt secrets in ETCD](24%2FREADME.MD) | [SOLUTION](24%2FSOLUTION.MD) |
-| [25](25) | [Image policy webhook](25%2FREADME.MD) | [SOLUTION](25%2FSOLUTION.MD) |
+## [CKS labs list ](..%2F..%2F..%2Fdocs%2Flabs.MD#cks-labs)
+
+