Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a pod security manifest fuzzer #11

Merged
merged 1 commit into from
Oct 25, 2022
Merged

Add a pod security manifest fuzzer #11

merged 1 commit into from
Oct 25, 2022

Conversation

mtardy
Copy link
Collaborator

@mtardy mtardy commented Oct 13, 2022

POC for #10.

The idea would be to generate a random valid manifest in order to fuzz the admission control. Not in a traditional fuzzing sense, like finding crashes and bugs in the implementation of the admission, but finding loopholes in the admission rules.

It uses google/gofuzz and custom fuzzing functions to generate a random but somehow valid v1.SecurityContext that can be injected into a pod's manifest.

This POC should be extended to support more fields, like stated in the original idea issue:

This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.

In order to test this POC, checkout to the fuzz branch, compile with make and generate random SecurityContext with ./kdigger gen -f. You can generate multiples with something like that for example:

for _ in {0..10}; do ./kdigger gen -f -o json | jq '.spec.containers[].securityContext'; done

You can check against the API server if they are valid with:

./kdigger gen -f | kubectl apply --dry-run=server -f -

And by the way, I need to do an update on the main branch to scan the admission control with --dry-run by default.

@mtardy mtardy added the enhancement New feature or request label Oct 13, 2022
@mtardy mtardy self-assigned this Oct 13, 2022
@mtardy mtardy linked an issue Oct 13, 2022 that may be closed by this pull request
Feature Request: kdigger gen --fuzz #10
Closed
@mtardy
Copy link
Collaborator Author

mtardy commented Oct 25, 2022

I added custom mutators on multiple fields and can now fuzz on pod, containers and initContainers securityContext fields.

EphemeralContainers cannot be specified at creation, unfortunately (which makes sense).

ephemeralContainers  <[]Object>
     List of ephemeral containers run in this pod. Ephemeral containers may be
     run in an existing pod to perform user-initiated actions such as debugging.
     This list cannot be specified when creating a pod, and it cannot be
     modified by updating the pod spec. In order to add an ephemeral container
     to an existing pod, use the pod's ephemeralcontainers subresource.

You can use the feature with:

while true; do ./kdigger gen --fuzz-pod --fuzz-init --fuzz-container | kubectl apply --dry-run=server -f -; done

It can be useful to just echo $? to see if creation was a success or not.

Or just look at an example with:

./kdigger gen --fuzz-pod --fuzz-init --fuzz-container

The custom mutators can still be improved to provide more sensible outputs but they should not generate invalid pods spec.

@mtardy
Add a fuzzing feature for various SecurityContexts in a pod's manifest
c4e0bec 
It uses google/gofuzz to generate a random but somehow valid
SecurityContext that can be injected in a pod's manifest. It can
generate a pod securityContext, a container securityContext and an
initContainer securityContext.
@mtardy mtardy merged commit 211c47d into main Oct 25, 2022
@mtardy mtardy deleted the fuzz branch October 25, 2022 16:27
@mtardy
Copy link
Collaborator Author

mtardy commented Dec 2, 2022

image

I should have asked a chatbot...

@guedou
Copy link

guedou commented Dec 2, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mtardy mtardy

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature Request: kdigger gen --fuzz
2 participants
@mtardy @guedou