Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The total number of misconfigurations and vulnerabilities in the Kubernetes-goat environment #65

Open
ijewelmas opened this issue Aug 6, 2022 · 4 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed

Comments

@ijewelmas
Copy link

Hello,

I was interested to understand the total number of intended misconfigurations and vulnerabilities in Kubernetes-goat environment. It will be great to have this information in order to understand which tool is able to capture most number of misconfigurations/vulnerabilities.

Thanks in advance !

@ijewelmas ijewelmas changed the title The total number of misconfigurations and vulnerabilities in the Kubegoat environment The total number of misconfigurations and vulnerabilities in the Kubernetes-goat environment Aug 6, 2022
@fadao23
Copy link

fadao23 commented Dec 22, 2022

+1.
I saw on "kubernetes-goat/guide/docs/security-reports/" that some reports have been updated, but without a baseline of vulnerabilities, we can't know if the tools are efficient or not.

@madhuakula
Copy link
Owner

Makes a lot of sense. Let me document in a draft and share with you all and see if anything I missed and we can improve over the time. Will work on this this week, @fadao23 @ijewelmas appreciate any suggestions, inputs about format.

@madhuakula madhuakula added documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed labels Mar 8, 2023
@madhuakula madhuakula moved this to 👉 To do in Kubernetes Goat Mar 8, 2023
@za
Copy link
Contributor

za commented Sep 1, 2023

Hi @madhuakula maybe I can try to help. So we need to put the risk level on each scenarios here?

  1. Sensitive keys in codebases
  2. DIND (docker-in-docker) exploitation
  3. SSRF in the Kubernetes (K8S) world
  4. Container escape to the host system
  5. Docker CIS benchmarks analysis
  6. Kubernetes CIS benchmarks analysis
  7. Attacking private registry
  8. NodePort exposed services
  9. Helm v2 tiller to PwN the cluster - [Deprecated]
  10. Analyzing crypto miner container
  11. Kubernetes namespaces bypass
  12. Gaining environment information
  13. DoS the Memory/CPU resources
  14. Hacker container preview
  15. Hidden in layers
  16. RBAC least privileges misconfiguration
  17. KubeAudit - Audit Kubernetes clusters
  18. Falco - Runtime security monitoring & detection
  19. Popeye - A Kubernetes cluster sanitizer
  20. Secure network boundaries using NSP
  21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement
  22. Securing Kubernetes Clusters using Kyverno Policy Engine

or it's not like that? As each scenario might contain varied vulnerabilities & misconfigurations. CMIIW.

@madhuakula
Copy link
Owner

Appreciate it if you have some ideas on how we can do this, @za. Let's discuss this here before moving forward with implementation.

Basically, we need to capture the list of vulnerabilities, misconfigurations, etc., in each scenario and flag them in a testable way using tools like Checkov, KICS, Kubescape, etc. against our Kubernetes Goat project. This way, we can ensure that we can map them to the Kubernetes Goat framework list of vulnerabilities and what these tools are able to find/identify.

Finally, we can create a matrix something like https://github.com/tsale/EDR-Telemetry?tab=readme-ov-file#telemetry-comparison-table

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed
Projects
Status: 👉 To do
Development

No branches or pull requests

4 participants