Skip to content

alexivkin/kubepwn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

A collection of resources about Kubernetes security

Check out the folders here:

For container related resources check my other repo

Tools

Red

  • auger - Directly access data objects stored in etcd by Kubernetes
  • botb - Exploit common container vulnerabilities
  • kubeletmein - stealing metadata for GKE and DOKS abuse
  • dopwn - DigitalOcean Managed Kubernetes Pwner
  • go-pillage-registries - Docker registry scrapper
  • peirates - Kubernetes pentesting tool
  • amicontained - Check containment setup
  • conmachi - Another containment check tool

Purple

  • clusterdump - full cluster export into jsons using both native and specialized exports
  • Managed Kubernetes Inspection Tool and its AKS profile
  • Kubiscan - Cyberark's scanner for misconfigurations
  • kubeletctl - an unofficial ctl tool for kubelet APIs
  • Kubectl images - Kubectl plugin to list images for all pods and containers
  • Kube-bench - Checking configuration weaknesses and bad defaults, check cluster against CIS-Benchmarks
  • Kubesec - Kubernets manifests and helm charts security risk analysis
  • kube-scan - Kubernetes risk assessment for workloads
  • Popeye - Cluster scanner for potential issues with deployed resources and configurations.
  • Rakess - kubectl plugin to show an access matrix for server resources
  • audit2rbac - Convert audit log to RBAC configs
  • Krane - RBAC static analysis tool
  • kubeaudit - Various security config checks
  • ktunnel - reverse tunnel for K8s services to contact your host
  • Kubetap - Sniffing and MitM kubernetes traffic
  • dostainer - Resource exhaustion automation
  • kubei - Vuln scanning tool and risk assessment for clusters
  • GKE Auditor - Check commong Google Kubernetes Engine misconfigurations

Blue

Policy management

  • k-rail - a workload policy enforcement tool for Kubernetes. Aims to bring more workload oriented security
  • Kyverno - Policy Management tool
  • Open Policy Agent (OPA) - general-purpose policy engine that can be used as a Kubernetes admission controller.

Vuln detection and management

  • Polaris - validates configurations for best practices.
  • Starboard - OSS aquasec tool to run multiple tools in the cluster for audit
  • Checkov - static code analysis for IaC deployment tools, now supports kubernetes
  • syft - CLI tool and go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

Image scanners and signers

  • Clair
  • Trivy
  • Anchore and grype - yet another vulnerability scanners for container images and filesystems
  • Vuls.io - OVAL based scanner
  • Harbor - Image repo engine that signs and scans contents
  • Grafeas
  • OpenSCAP - Not really image specific but includes container support

Versioning

  • version-checker - Checking current version of images against the latest available

Monitoring

Secret vaulting

Tracing/development

IAM

Trainings, Workshops and Tutorials

Good reads

Introductory articles

K8s Security concepts

Threat modeling

Attacks

Cloud provided K8s

Helpful red-team one-liners

  • Istio API - curl -sL https://github.com/istio/istio/releases/download/1.4.0-beta.0/istioctl-1.4.0-beta.0-linux.tar.gz | tar xzf -
  • Kubernetes API - curl -sLO https://storage.googleapis.com/kubernetes-release/release/v1.16.0/bin/linux/amd64/kubectl; chmod u+x kubectl
  • Etcd API- curl -sL https://github.com/etcd-io/etcd/releases/download/v3.4.3/etcd-v3.4.3-linux-amd64.tar.gz | tar zxf - */etcctl --strip-components=1
  • Kubelet API - curl -L https://github.com/cyberark/kubeletctl/releases/download/v1.5/kubeletctl_linux_amd64 -o kubeletctl && chmod u+x ./kubeletctl
  • Registry browser - curl -sL https://github.com/genuinetools/reg/releases/download/v0.16.0/reg-linux-amd64 -o reg; chmod u+x reg
  • Better alternative to the docker CLI - curl -sL https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.16.1/crictl-v1.16.1-linux-amd64.tar.gz | tar zxf -
  • GCP and DO privesc with metadata curl -sL https://github.com/4ARMED/kubeletmein/releases/download/v0.6.5/kubeletmein_0.6.5_linux_amd64 -o kubeletmein; chmod u+x kubeletmein
  • BoTB - curl -sfSL "https://github.com/brompwnie/botb/releases/download/1.7.0/botb-linux-amd64" -o botb && chmod +x botb
  • Peirates - curl -sL https://github.com/inguardians/peirates/releases/download/v1.0.25/peirates-linux-amd64.tar.xz | tar Jxf - */peirates --strip-components=1