Document Purpose

This document guides you through preparing a single-node Kubernetes lab on Proxmox to deploy and harden the VulnBank application. It covers namespace architecture, a lightweight API gateway selection (Kong vs Traefik), ingress design, and a phased execution plan with concrete manifests and commands.

Audience: AppSec Engineer in the financial sector.

1.0 What We Are Building

The core idea of this lab is not to fix the vulnerable code in VulnBank. it is to wrap it in the same kind of layered infrastructure controls that financial institutions apply around legacy and third-party applications they cannot fully patch. This is a realistic simulation of how AppSec operates in practice in the financial sector.

| *Core Philosophy

****"Code will always be vulnerable. The infra controls around it are what protect the bank."

1.1 Lab Goals

• Deploy VulnBank on K8s: containerized Flask + PostgreSQL on your single-node cluster
• API Gateway (Kong DB-less): lightweight, purpose-built for API control, replaces raw Traefik for API security layer
• Network segmentation: Kubernetes NetworkPolicies isolating app, db, and gateway tiers
• Route-level controls: restrict /internal/*, /api/admin/*, /api/docs from public reach
• Rate limiting: compensate for the brute-force PIN reset and no-rate-limit vulns at the gateway
• TLS termination: cert-manager with self-signed CA, as banks do internally
• Runtime security (Phase 2): Falco, Kyverno, Vault, post lab-prep phase

1.2 Hardware Used