You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I enjoy kdigger, it is helpful during pentests.
Would it be possible to extend the gen command for fuzzing Kubernetes admission controllers?
Wouldn't it be great if it could generate Kubernetes YAML manifests with all cutting edge container spec and security context fields?
This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.
This could be used to test admission controls more thoroughly.
Implementation ideas:
The existing Kubernetes mutating webhook logic could be extracted from K8s codebase and used to implement this
The tool could fetches the latest kubernetes OpenAPI spec for apps and use this as basis to generate valid manifests with all possible values for dangerous spec fields mutated
In order to fine-tune the mutator, the dangerous configs from the api spec must be studied to identify problematic combinations.
A small yet versatile base image should be used in the generated manifests that has sudo pre-installed (for allowPrivilegeescalation checks)
Let me know your opinion about such a feature :-)
The text was updated successfully, but these errors were encountered:
Wow!! I'm super happy to know that kdigger is useful :)
Your proposition is definitely a great idea! For example, I discovered a few months ago that because PodSecurityPolicy was going to be removed, maintainers did not upgrade it for the new ephemeralContainers thing and it was now a way to bypass it (PodSecurity admission plugin is checking that properly). So definitely, especially if people are using "custom" sets of rules with Kyverno, OPA/Gatekeeper, or something else, it could be a way to discover what could pass the control.
Implementation ideas are really on spot and I would love to try to work on this. Implementing a "pod mutator" seems exciting 🤓. This could be used both in kdigger gen but also used with kdigger dig adm with a flag.
I could create a PR soon when I have an idea to go from the OpenAPI spec to a valid random pod first and try to work on that directly here so that you can participate and make comments, or even participate if you have the time!
Hi,
I enjoy kdigger, it is helpful during pentests.
Would it be possible to extend the
gen
command for fuzzing Kubernetes admission controllers?Wouldn't it be great if it could generate Kubernetes YAML manifests with all cutting edge container spec and security context fields?
This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.
This could be used to test admission controls more thoroughly.
Implementation ideas:
Let me know your opinion about such a feature :-)
The text was updated successfully, but these errors were encountered: