gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 23:15:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
carlospolop
2025-05-11 17:04:02 +02:00
parent bb4337235e
commit 13cd85219b
4 changed files with 35 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
View File

@@ -127,6 +127,7 @@ If you managed to **escape from the container** there are some interesting thing
- `/var/lib/kubelet/config.yaml`
- `/var/lib/kubelet/kubeadm-flags.env`
- `/etc/kubernetes/kubelet-kubeconfig`
- `/etc/kubernetes/admin.conf` --> `kubectl --kubeconfig /etc/kubernetes/admin.conf get all -n kube-system`
- Other **kubernetes common files**:
- `$HOME/.kube/config` - **User Config**
- `/etc/kubernetes/kubelet.conf`- **Regular Config**

15
src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
View File

@@ -36,6 +36,10 @@ curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh
kubescape scan --verbose
```
### [**Popeye**](https://github.com/derailed/popeye)
[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
### [**Kube-bench**](https://github.com/aquasecurity/kube-bench)
The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
@@ -97,10 +101,6 @@ kube-hunter --remote some.node.com
## **Audit IaC Code**
### [**Popeye**](https://github.com/derailed/popeye)
[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
### [**KICS**](https://github.com/Checkmarx/kics)
[**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications
@@ -208,6 +208,13 @@ You should update your Kubernetes environment as frequently as necessary to have
- cloud controller manager, if you use one.
- Upgrade the Worker Node components such as kube-proxy, kubelet.
## Kubernetes monitoring & security:
- Kyverno Policy Engine
- Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement
- Network Security Policies
- Falco - Runtime security monitoring & detection
{{#include ../../../banners/hacktricks-training.md}}

3
src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
View File

@@ -2,6 +2,7 @@
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
## Abusing policies misconfiguration
### Enumerate rules
@@ -59,5 +60,7 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration
../kubernetes-validatingwebhookconfiguration.md
{{#endref}}
## More info
For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/)