CVE-2020-8554

CDK - Zero Dependency Container Penetration Toolkit English | 简体中文 Legal Disclaimer Usage of CDK for attacking targets without prior mutual consent is illegal CDK is for security testing purposes only Overview CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency It c

A Helm chart to deploy a collection of Kyverno policies for security and best practice enforcement in Kubernetes clusters

kyverno-policies Collection of Kyverno security and best-practice policies for Kyverno Upstream References kyvernoio/policies/ githubcom/kyverno/policies Learn More Application Overview Other Documentation Pre-Requisites Kubernetes Cluster deployed Kubernetes config installed in ~/kube/config Helm installed Install Helm helmsh/docs/intro/

Universal Kubernetes mutating operator

KubeMod KubeMod is a universal Kubernetes mutating operator It introduces ModRule - a custom Kubernetes resource that can intercept the deployment of any Kubernetes object and apply targeted modifications to it, or reject it before it is deployed to the cluster Use KubeMod to: Customize opaque Helm charts and Kubernetes operators Build a system of policy rules to reject mis

🌏 [WIP]整理好了之后迁移到 cdk-team/document，包含各类容器、K8s攻防场景的CDK文档。

CDK - Zero Dependency Container Penetration Toolkit English | 简体中文 Legal Disclaimer Usage of CDK for attacking targets without prior mutual consent is illegal CDK is for security testing purposes only Overview CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency It c

Prisma Cloud Compute Admission rules to mitigate Kubernetes CVE-2020-8554

Prisma Cloud Compute Mitigations for Kubernetes CVE-2020-8554 This repository contains Prisma Cloud Compute Admission rules that mitigate exploitation of CVE-2020-8554, an unpatched Kubernetes vulnerability To ensure correct usage, please follow the instructions provided in the 'Prisma Cloud Mitigation' section of our response post, Protecting Against Kubernetes CVE-

CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs

externalip-webhook created to address CVE-2020-8554 Note: This chart is deprecated for kubernetes version 121 and unsupported starting with 122 To mitigate CVE-2020-8554, enable the DenyServiceExternalIPs admission controller on the cluster externalip-webhook, is a validating webhook which prevents services from using random external IPs Cluster administrators can specify

Kubernetes hostPort allow services traffic interception when using kubeproxy IPVS (CVE-2019-9946) Host MITM attack via IPv6 rogue router advertisements (K8S / Docker / LXD / WSL2 / ) Bridge firewalling "bypass" using VLAN 0 Kubernetes MITM using LoadBalancer or ExternalIPs (CVE-2020-8554) Metadata service MITM allows root privilege escalation (EKS / GKE)

Kubernetes security tool for policy enforcement

The k-rail project has been deprecated and will receive no new features or bugfixes except in the case of critical security vulnerabilities We recommend migrating to an actively developed tool like OPA Gatekeeper that provides similar functionality k-rail is a workload policy enforcement tool for Kubernetes It can help you secure a multi tenant cluster with minimal disrupti

A Helm chart to deploy a collection of Kyverno policies for security and best practice enforcement in Kubernetes clusters

kyverno-policies Collection of Kyverno security and best-practice policies for Kyverno Upstream References kyvernoio/policies/ githubcom/kyverno/policies Learn More Application Overview Other Documentation Pre-Requisites Kubernetes Cluster deployed Kubernetes config installed in ~/kube/config Helm installed Install Helm helmsh/docs/intro/

Setup for a K8s home lab running on a single host (e.g. Intel NUC)

Kubernetes in a Home Lab Environment This repository should contain all required steps, manifests and resources to set up a K8s in a home lab environment Its status should be viewed as "work in progress" since I plan to improve various things in the future This technology stack should not be viewed as production ready, since the chaining of the different tools and t

ClusterIP Validating Webhook

externalip-webhook created to address CVE-2020-8554 externalip-webhook, is a validating webhook which prevents services from using random external IPs Cluster administrators can specify list of CIDRs allowed to be used as external IP by specifying allowed-external-ip-cidrs parameter Webhook will only allow creation of services which doesn't require external IP or whose e

Gatekeeper constraint for CVE-2020-8554 Install OPA client Follow the instructions Run unit tests $ opa test --ignore=*yaml /policies # verbose output $ opa test -v --explain=full --format=pretty --ignore=*yaml /policies

Mitigate CVE-2020-8554 with Policy Controller in Anthos

Mitigate CVE-2020-8554 with Policy Controller This repository contains configuration files for using Policy Controller, which is based on the open source OPA Gatekeeper project, to block Kubernetes Services from public IP access The security advisory for this issue states: A security issue was discovered with Kubernetes affecting multitenant clusters If a potential attacker

A project to learn Go by writing a Kubernetes admission controller.

Admission Controller Base A project to learn some Go by migrating our Python mutating admission controller to Go Functionality to Replicate Tracking each feature we have implemented in Python that we need to implement in the new controller: Webhooks Tolerate Azure spot instances Add the internal-only annotation for the cloud provider we're running in Reject objects in