These Kubernetes templates are a work in progress and are not guaranteed to work out of the box. Please review and customize all configurations before deploying to your environment.
This directory contains Kubernetes manifests for deploying ATT&CK Workbench using Kustomize.
- Kubernetes cluster
kubectlconfigured to access your cluster- Kustomize (built into most versions of
kubectl) - Persistent storage class available in your cluster
The deployment consists of:
- Frontend: Angular SPA served by Nginx
- REST API: Express.js API server
- TAXII Server: Nest.js TAXII 2.1 compliant server (optional)
- Database: MongoDB StatefulSet with persistent storage
# Deploy to development environment
kubectl apply -k k8s/overlays/dev
# Check deployment status
kubectl get pods -n attack-workbench
# Access the application (if using LoadBalancer)
kubectl get svc -n attack-workbench dev-attack-workbench-frontend# Deploy to production environment
kubectl apply -k k8s/overlays/prod
# Check deployment status
kubectl get pods -n attack-workbench
# Access the application
kubectl get svc -n attack-workbench prod-attack-workbench-frontenddev and prod overlay templates are provided. They will probably not work out-of-the-box. Before deploying with kubectl, review the ConfigMaps and Kustomization overlays for accuracy.
-
Dev overlay (
overlays/dev/):- Debug logging enabled
- CORS enabled for development
- Single replica for all services
- Uses
latestimage tags
-
Prod overlay (
overlays/prod/):- Production logging levels
- Multiple replicas for high availability
- Higher resource limits
- Uses
stableimage tags (these tags don't exist; we recommend changing to a semver release) - HTTPS enabled for TAXII server
To customize the deployment for your environment:
- Storage: Update the StorageClass in
base/statefulset-mongodb.yaml - Images: Modify image tags in the respective overlay kustomization.yaml
- Resources: Adjust CPU/memory limits in deployment files
- Configuration: Update ConfigMaps for service-specific settings
# Frontend
kubectl port-forward -n attack-workbench svc/dev-attack-workbench-frontend 8080:80
# REST API
kubectl port-forward -n attack-workbench svc/dev-attack-workbench-rest-api 3000:3000
# TAXII Server
kubectl port-forward -n attack-workbench svc/dev-attack-workbench-taxii 5002:5002For production deployments, consider setting up an Ingress controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: attack-workbench-ingress
namespace: attack-workbench
spec:
rules:
- host: workbench.yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: prod-attack-workbench-frontend
port:
number: 80# Create backup job
kubectl create job --from=cronjob/mongodb-backup manual-backup -n attack-workbench# Update images
kubectl set image deployment/prod-frontend frontend=ghcr.io/center-for-threat-informed-defense/attack-workbench-frontend:v1.2.3 -n attack-workbench
# Or redeploy with updated manifests
kubectl apply -k k8s/overlays/prod# Scale REST API
kubectl scale deployment prod-rest-api --replicas=3 -n attack-workbench# Frontend logs
kubectl logs -l app=frontend -n attack-workbench
# REST API logs
kubectl logs -l app=rest-api -n attack-workbench
# Database logs
kubectl logs -l app=mongodb -n attack-workbench# Test internal service connectivity
kubectl run test-pod --image=busybox -i --tty --rm -n attack-workbench -- /bin/sh
# Inside the pod:
nslookup attack-workbench-database
wget -qO- http://attack-workbench-rest-api:3000/api/health/ping