Migrate to using mdbook

src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md

@@ -0,0 +1,76 @@
+# Kubernetes - OPA Gatekeeper
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Definition
+
+Open Policy Agent (OPA) Gatekeeper is a tool used to enforce admission policies in Kubernetes. These policies are defined using Rego, a policy language provided by OPA. Below is a basic example of a policy definition using OPA Gatekeeper:
+
+```rego
+regoCopy codepackage k8srequiredlabels
+
+violation[{"msg": msg}] {
+    provided := {label | input.review.object.metadata.labels[label]}
+    required := {label | label := input.parameters.labels[label]}
+    missing := required - provided
+    count(missing) > 0
+    msg := sprintf("Required labels missing: %v", [missing])
+}
+
+default allow = false
+```
+
+This Rego policy checks if certain labels are present on Kubernetes resources. If the required labels are missing, it returns a violation message. This policy can be used to ensure that all resources deployed in the cluster have specific labels.
+
+## Apply Constraint
+
+To use this policy with OPA Gatekeeper, you would define a **ConstraintTemplate** and a **Constraint** in Kubernetes:
+
+```yaml
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+        violation[{"msg": msg}] {
+            provided := {label | input.review.object.metadata.labels[label]}
+            required := {label | label := input.parameters.labels[label]}
+            missing := required - provided
+            count(missing) > 0
+            msg := sprintf("Required labels missing: %v", [missing])
+        }
+
+        default allow = false
+```
+
+```yaml
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: ensure-pod-has-label
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    labels:
+      requiredLabel1: "true"
+      requiredLabel2: "true"
+```
+
+In this YAML example, we define a **ConstraintTemplate** to require labels. Then, we name this constraint `ensure-pod-has-label`, which references the `k8srequiredlabels` ConstraintTemplate and specifies the required labels.
+
+When Gatekeeper is deployed in the Kubernetes cluster, it will enforce this policy, preventing the creation of pods that do not have the specified labels.
+
+## References
+
+* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)

src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md

@@ -0,0 +1,63 @@
+# Kubernetes OPA Gatekeeper bypass
+
+**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
+
+## Abusing misconfiguration
+
+### Enumerate rules
+
+Having an overview may help to know which rules are active, on which mode and who can bypass it.
+
+#### With the CLI
+
+```bash
+$ kubectl api-resources | grep gatekeeper
+k8smandatoryannotations                                                             constraints.gatekeeper.sh/v1beta1                  false        K8sMandatoryAnnotations
+k8smandatorylabels                                                                  constraints.gatekeeper.sh/v1beta1                  false        K8sMandatoryLabel
+constrainttemplates                                                                 templates.gatekeeper.sh/v1                         false        ConstraintTemplate
+```
+
+**ConstraintTemplate** and **Constraint** can be used in Open Policy Agent (OPA) Gatekeeper to enforce rules on Kubernetes resources.
+
+```bash
+$ kubectl get constrainttemplates
+$ kubectl get k8smandatorylabels
+```
+
+#### With the GUI
+
+A Graphic User Interface may also be available to access the OPA rules with **Gatekeeper Policy Manager.** It is "a simple _read-only_ web UI for viewing OPA Gatekeeper policies' status in a Kubernetes Cluster."
+
+<figure><img src="../../../images/05-constraints.png" alt=""><figcaption></figcaption></figure>
+
+Search for the exposed service :
+
+```bash
+$ kubectl get services -A | grep gatekeeper
+$ kubectl get services -A | grep 'gatekeeper-policy-manager-system'
+```
+
+### Excluded namespaces
+
+As illustrated in the image above, certain rules may not be applied universally across all namespaces or users. Instead, they operate on a whitelist basis. For instance, the `liveness-probe` constraint is excluded from applying to the five specified namespaces.
+
+### Bypass
+
+With a comprehensive overview of the Gatekeeper configuration, it's possible to identify potential misconfigurations that could be exploited to gain privileges. Look for whitelisted or excluded namespaces where the rule doesn't apply, and then carry out your attack there.
+
+{{#ref}}
+../abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
+
+## Abusing ValidatingWebhookConfiguration
+
+Another way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource :&#x20;
+
+{{#ref}}
+../kubernetes-validatingwebhookconfiguration.md
+{{#endref}}
+
+## References
+
+- [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+- [https://github.com/sighupio/gatekeeper-policy-manager](https://github.com/sighupio/gatekeeper-policy-manager)