Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: kdigger gen --fuzz #10

Closed
sfunkernw opened this issue Oct 12, 2022 · 1 comment · Fixed by #11
Closed

Feature Request: kdigger gen --fuzz #10

sfunkernw opened this issue Oct 12, 2022 · 1 comment · Fixed by #11
Assignees
@mtardy
Labels
enhancement New feature or request

Comments

@sfunkernw
Copy link

Hi,
I enjoy kdigger, it is helpful during pentests.
Would it be possible to extend the gen command for fuzzing Kubernetes admission controllers?

Wouldn't it be great if it could generate Kubernetes YAML manifests with all cutting edge container spec and security context fields?
This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.
This could be used to test admission controls more thoroughly.

Implementation ideas:

  • The existing Kubernetes mutating webhook logic could be extracted from K8s codebase and used to implement this
  • The tool could fetches the latest kubernetes OpenAPI spec for apps and use this as basis to generate valid manifests with all possible values for dangerous spec fields mutated
  • In order to fine-tune the mutator, the dangerous configs from the api spec must be studied to identify problematic combinations.
  • A small yet versatile base image should be used in the generated manifests that has sudo pre-installed (for allowPrivilegeescalation checks)

Let me know your opinion about such a feature :-)
@mtardy
Copy link
Collaborator

mtardy commented Oct 12, 2022

Wow!! I'm super happy to know that kdigger is useful :)

Your proposition is definitely a great idea! For example, I discovered a few months ago that because PodSecurityPolicy was going to be removed, maintainers did not upgrade it for the new ephemeralContainers thing and it was now a way to bypass it (PodSecurity admission plugin is checking that properly). So definitely, especially if people are using "custom" sets of rules with Kyverno, OPA/Gatekeeper, or something else, it could be a way to discover what could pass the control.

Implementation ideas are really on spot and I would love to try to work on this. Implementing a "pod mutator" seems exciting 🤓. This could be used both in kdigger gen but also used with kdigger dig adm with a flag.

I could create a PR soon when I have an idea to go from the OpenAPI spec to a valid random pod first and try to work on that directly here so that you can participate and make comments, or even participate if you have the time!

@mtardy mtardy added the enhancement New feature or request label Oct 12, 2022
@mtardy mtardy self-assigned this Oct 13, 2022
@mtardy mtardy mentioned this issue Oct 13, 2022
Merged
@mtardy mtardy linked a pull request Oct 13, 2022 that will close this issue
Add a pod security manifest fuzzer #11
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mtardy mtardy

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a pod security manifest fuzzer quarkslab/kdigger
2 participants
@mtardy @sfunkernw