Awesome
A collection of resources about Kubernetes security
Check out the folders here:
For container related resources check my other repo
Tools
Red
- auger - Directly access data objects stored in
etcdby Kubernetes - botb - Exploit common container vulnerabilities
- kubeletmein - stealing metadata for GKE and DOKS abuse
- dopwn - DigitalOcean Managed Kubernetes Pwner
- go-pillage-registries - Docker registry scrapper
- peirates - Kubernetes pentesting tool
- amicontained - Check containment setup
- conmachi - Another containment check tool
Purple
- clusterdump - full cluster export into jsons using both native and specialized exports
- Managed Kubernetes Inspection Tool and its AKS profile
- Kubiscan - Cyberark's scanner for misconfigurations
- kubeletctl - an unofficial ctl tool for kubelet APIs
- Kubectl images - Kubectl plugin to list images for all pods and containers
- Kube-bench - Checking configuration weaknesses and bad defaults, check cluster against CIS-Benchmarks
- Kubesec - Kubernets manifests and helm charts security risk analysis
- kube-scan - Kubernetes risk assessment for workloads
- Popeye - Cluster scanner for potential issues with deployed resources and configurations.
- Rakess - kubectl plugin to show an access matrix for server resources
- audit2rbac - Convert audit log to RBAC configs
- Krane - RBAC static analysis tool
- kubeaudit - Various security config checks
- ktunnel - reverse tunnel for K8s services to contact your host
- Kubetap - Sniffing and MitM kubernetes traffic
- dostainer - Resource exhaustion automation
- kubei - Vuln scanning tool and risk assessment for clusters
- GKE Auditor - Check commong Google Kubernetes Engine misconfigurations
Blue
Policy management
- k-rail - a workload policy enforcement tool for Kubernetes. Aims to bring more workload oriented security
- Kyverno - Policy Management tool
- Open Policy Agent (OPA) - general-purpose policy engine that can be used as a Kubernetes admission controller.
Vuln detection and management
- Polaris - validates configurations for best practices.
- Starboard - OSS aquasec tool to run multiple tools in the cluster for audit
- Checkov - static code analysis for IaC deployment tools, now supports kubernetes
- syft - CLI tool and go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.
Image scanners and signers
- Clair
- Trivy
- Anchore and grype - yet another vulnerability scanners for container images and filesystems
- Vuls.io - OVAL based scanner
- Harbor - Image repo engine that signs and scans contents
- Grafeas
- OpenSCAP - Not really image specific but includes container support
Versioning
- version-checker - Checking current version of images against the latest available
Monitoring
- Kubernetes Security Dashboard
- K8Guard - Monitor for misbehaving resources
- Falco - Real time behavioral activity monitor designed to detect anomalous activity
- Gatekeeper - OPA with audit and konstraint, its policy manager
- Kritis - Deploy-time scanner and signature checker for Grafeas, the 3rd-party artifact tracker. more about these here
- Inspektor Gadget - Runtime detection and configuration of network traffic, pods and policies
- Kube forensics
Secret vaulting
- Sealed secrets - Encrypting secrets so they can be safely stored in public repos
- Banzaicloud bank-vaults
- External Secrets - Shim for AWS Secrets Manager and HashiCorp Vault
Tracing/development
- Squash - Microservice debugger for kubernetes from IDE
- Ephmeral containers - K8s sidecar contianers for troubleshooting
IAM
Trainings, Workshops and Tutorials
- KubeCon 2019 Attacking and Devending K8s clusters - walkthrough guide to get the basics down
- BSidesSF 2020 K8s security training - source code
- NodyHub's K8s CTF
- Kubernetes Goat- intentionally vulnerable k8s deployment
- Attacking and Auditing Docker Containers and Kubernetes Clusters - Materials from 3 day hands on training that we have delivered at security conferences
Good reads
Introductory articles
K8s Security concepts
- Tools and Methods for Auditing Kubernetes RBAC Policies
- Image integrity with Notary
- Setting up Pod Security Policies
- Enhancing Kubernetes Security with Pod Security Policies
- Webhooks and sidecars
- Using OPA and CRDs for security
- K8s audit, Google's audit logging and auditd
- Setting up K9s network policies
Threat modeling
- K8s threat models
- Threat Matrix for Kubernetes
- Trail of Bits kubernetes audit
- GKE security notices
- CIS Benchmark
Attacks
- Using CAP_NET_RAW for DNS Spoofing
- Capturing all the flags in BSidesSF CTF by pwning our infrastructure
- KubeCon Slides
Cloud provided K8s
- Connect Kubernetes Applications to Azure Resources with Managed Service Identities
- Authenticating to GKE without gcloud
Helpful red-team one-liners
- Istio API -
curl -sL https://github.com/istio/istio/releases/download/1.4.0-beta.0/istioctl-1.4.0-beta.0-linux.tar.gz | tar xzf - - Kubernetes API -
curl -sLO https://storage.googleapis.com/kubernetes-release/release/v1.16.0/bin/linux/amd64/kubectl; chmod u+x kubectl - Etcd API-
curl -sL https://github.com/etcd-io/etcd/releases/download/v3.4.3/etcd-v3.4.3-linux-amd64.tar.gz | tar zxf - */etcctl --strip-components=1 - Kubelet API -
curl -L https://github.com/cyberark/kubeletctl/releases/download/v1.5/kubeletctl_linux_amd64 -o kubeletctl && chmod u+x ./kubeletctl - Registry browser -
curl -sL https://github.com/genuinetools/reg/releases/download/v0.16.0/reg-linux-amd64 -o reg; chmod u+x reg - Better alternative to the docker CLI -
curl -sL https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.16.1/crictl-v1.16.1-linux-amd64.tar.gz | tar zxf - - GCP and DO privesc with metadata
curl -sL https://github.com/4ARMED/kubeletmein/releases/download/v0.6.5/kubeletmein_0.6.5_linux_amd64 -o kubeletmein; chmod u+x kubeletmein - BoTB -
curl -sfSL "https://github.com/brompwnie/botb/releases/download/1.7.0/botb-linux-amd64" -o botb && chmod +x botb - Peirates -
curl -sL https://github.com/inguardians/peirates/releases/download/v1.0.25/peirates-linux-amd64.tar.xz | tar Jxf - */peirates --strip-components=1