{"id":15655375,"url":"https://github.com/sunweb3sec/kubernetes-security","last_synced_at":"2025-08-09T23:06:31.777Z","repository":{"id":104119725,"uuid":"582592316","full_name":"SunWeb3Sec/Kubernetes-security","owner":"SunWeb3Sec","description":"Kubernetes pentesting, hardening and hunting tools.","archived":false,"fork":false,"pushed_at":"2022-12-27T13:01:50.000Z","size":48,"stargazers_count":63,"open_issues_count":0,"forks_count":16,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-05T03:32:45.952Z","etag":null,"topics":["devsecops","kubernetes"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SunWeb3Sec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-27T09:57:06.000Z","updated_at":"2025-04-05T05:51:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"6aa6f509-2a87-43f4-8785-db15c07ef385","html_url":"https://github.com/SunWeb3Sec/Kubernetes-security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SunWeb3Sec/Kubernetes-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SunWeb3Sec%2FKubernetes-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SunWeb3Sec%2FKubernetes-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SunWeb3Sec%2FKubernetes-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SunWeb3Sec%2FKubernetes-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SunWeb3Sec","download_url":"https://codeload.github.com/SunWeb3Sec/Kubernetes-security/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SunWeb3Sec%2FKubernetes-security/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269649848,"owners_count":24453541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-09T02:00:10.424Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","kubernetes"],"created_at":"2024-10-03T12:58:37.130Z","updated_at":"2025-08-09T23:06:31.725Z","avatar_url":"https://github.com/SunWeb3Sec.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes pentesting, hardening and hunting tools\n\nShare my k8s research materials that I did two years ago.\n\nThis repo aims to how to secure your kubernetes (K8s) environment.\n\n[Kubernetes pentesting](https://github.com/SunWeb3Sec/Kubernetes-security#kubernetes-pentesting)\n\n[Kubernetes hardening](https://github.com/SunWeb3Sec/Kubernetes-security#kubernetes-hardening)\n\n[Kubernetes hunting tools](https://github.com/SunWeb3Sec/Kubernetes-security#kubernetes-hunting-tools)\n\n## Kubernetes pentesting\n\n### Docker attacks\n* Misconfiguration\n  * Docker Remote API unauthorized access port 2375 (HTTP) and 2376 (HTTPS) /containers/json\n  * Docker.sock is mounted inside the container\n  * Docker compose secret expose\n  * DIND(docker-in-docker) exploitation\n* Docker high-risk startup parameters\n  * Privileged privileged mode\n  * Mount sensitive directories\n  * Safety issues related to startup parameters\n* Escape by Docker software flaw\n  * Shocker attack, VMM-container breakout \n  * runC container escape vulnerability (CVE-2019-5736)\n  * Docker cp command (CVE-2019-14271)\n  * Abuse cgroup (release_agent)\n  * rkt enter  (CVE-2019-10144, CVE-2019-10145 and CVE-2019-10146)\n* Escape by Kernel vulnerability\n  * Dirty COW - (CVE-2016-5195) - Docker Container Escape\n* Backdoor container\n### Kubernetes attacks\n* Recon / Misconfiguration\n  * Service unauthorized access / Expose \n    * ETCD port 2379\n    * Maintains cluster state and secrets\n    * No authentication by default\n    * No encryption at rest by default\n    * REST \u0026 gRPC APIs\n  * Kubelet API port 10250/10255 (Misconfigured kubelets non-auth)\n  * API server port 443/6443/8443/8080\n  * Kube porxy port 10256\n  * Calico port 9099\n  * Weave 6782-4\n  * NodePort expose\n  * Cluster network recon\n  * Shodan/ZoomEye/Censys\n    * kubernetesDashboard\n    * kubernetes\n    * k8s\n    * kubernetes master\n    * openshift\n    * swarm\n    * product:etcd\n    * k8s.io\n    * apiserver\n    * k8s_node/k8s-cluster-etcd/kubeadm-master/kubemaster-etcd\n  * Bypass namespace restriction\n    * The namespaces within the cluster doesn't have any network security restrictions by default.  By default, all pods in a Kubernetes cluster can communicate freely with each other without any issues\n    * Docker sock\n  * Container escape / replace host binary / reverse shell\n    * docker.sock expose\n    * Hostpath mount / chroot /host/ bash\n  * Privilege escalation\n    * Insecure deployment file \n    * Insecure pod security policy (AllowPrivilegeEscalation, MustRunAsNonRoot and privileged) Bypass the PSP to deploy a Pod\n      * Bad Pod #1: Everything allowed\n      * Bad Pod #2: Privileged and hostPid\n      * Bad Pod #3: Privileged only\n      * Bad Pod #4: hostPath only\n      * Bad Pod #5: hostPid only\n      * Bad Pod #6: hostNetwork only\n      * Bad Pod #7: hostIPC only\n      * Bad Pod #8: Nothing allowed\n    * Create pod into kube-system with automountServiceAccountToken: true\n    * Create malicious Admission controllers\n    * Shell Escape Sequences\n  * Git expose \n  * Secret leakage\n    * Config\n    * Secret\n    * SSH key\n    * Environment information\n  * DoS the memory/cpu resources\n    * No applied limit ranges for the containers\n* Initial Access\n  * Using cloud credentials, instance metadata\n    * SSRF over web vulnerability\n    * In Container\n  * Gain access private registry\n  * Vulnerable application\n    * Backdooring CI/CD\n    * Discovering Routes and Hidden Consoles\n    * SSRF Impacts on Cloud Environments\n    * Command Injections\n    * SQL Injections\n    * Peirates for Container Escape\n    * Injecting Functionless Environments Using LambdaShell\n    * Vulnerable application - insecure deserialization\n    * Insecure secret management - no protection of encryption key\n    * Redis - no authentication\n* Attack API over server account - Authorization\n  * /run/secrets/kubernetes.io/serviceaccount/token\n  * /var/lib/kubelet/kubeconfig\n  * $HOME/.kube/config\n  * get secret\n* Bypass RBAC\n  * Seeking Extensive Privileges (kubernetes-rbac-audit)\n* Exploit\n  * CVE-2018-1002105 (Unauthenticated user to perform privilege escalation)\n  * CVE-2020-8558 (kube-proxy route_localnet unauthenticated access node)\n  * CVE-2020-8555 (SSRF)\n  * kubelet-exploit\n  * Exec a command / shell in a container via the API server\n  * Launch a container onto the cluster via the API server\n  * Abuse or set up a \"volume mount\" to steal/modify data or the host itself\n  * Ask a Kubelet to exec a command / shell in an existing container\n  * Interact with the Docker daemon on the host\n  * Interact with the internal or external networks\n  * Image 3rd vulnerability\n  * Kubernetes CronJob\n  * helm2 exposes a Tiller gRPC interface (Default:No authentication)\n* Pod compromise\n  * RCE into the Pod\n  * Steal Service Tokens\n  * Find the public IP of the cluster\n  * Setup kubectl with the compromised token\n  * Determine what you can do in the cluster\n* Namespace compromise\n  * Bypass the PSP to deploy a Pod\n  * Port forwarding into the Pod\n  * Finding other services in the cluster\n* Namespace tenant bypass\n  * Compromise the other Pod\n  * Steal account token in new namespace\n  * Deploy a privileged pod\n* Node compromise\n  * Compromise the Node\n  * Deeper compromise\n  * Stealing the kubelet config\n* Cluster compromise\n  * Creating mirror pods\n  * Accessing the shell in the kube-system namespace\n  * Helm v2 tiller to PwN the cluster (Retrieve tiller service account token)\n* Combo\n  * No permission to get secret but you can create pod. Create pod that include secret\n  * From pod lateral movement\n  * Bypass the PSP to deploy a Pod\n  * Later movement - instance metadata\n* Cluster Layer\n  * No network policy\n  * No authentication or access control\n  * No logical segmentation - namespaces\n  * No pod security controls\n  * Lack of monitoring\n* Application Layer\n  * Vulnerable application - insecure deserialization\n  * Insecure secret management - no protection of encryption key\n  * Redis - no authentication\n  * More\n* Container Layer\n  * Running as root\n  * No hardening of container runtime\n  * Insecure secret in container environment variables\n*High Privileged\n  * Privilege to Use Pods/Exec\n  * Privilege to Get/Patch Rolebindings\n  * Impersonating a Privileged Account\n  * Privileged Service Account Token\n* Defense evasion\n  * Clear container logs\n  * Delete Kubernetes events\n  * Pod / container name similarity\n\n\n## Kubernetes hardening\n* Secure EKS Cluster\n  * Cloud Infrastructure Security\n  * VPC Layout\n  * Dedicated IAM Role for EKS Cluster Creation\n  * Cluster Resource Tagging\n  * Control SSH Access to Nodes\n  * EC2 Security Groups for Nodes\n  * Don’t Install the Kubernetes Dashboard\n  * AWS Fargate for Nodeless EKS (AWS does not recommend running sensitive workloads on Fargate.)\n  * IAM Policies and the Principle of Least Privilege( cluster autoscaler by using the IAM policy Condition)\n  * Isolating Critical Cluster Workloads\n  * Manage IAM Credentials for Pods\n* Authentication\n  * --anonymous-auth=false (Default:true)\n  * To enable X509 client certificate authentication to the kubelet's HTTPS endpoint\n* Authorization (RBAC, Node, ABAC or Webhook)\n  * –authorization-mode is not set to AlwaysAllow, as the more secure Webhook mode will delegate authorization decisions to the Kubernetes API server.\n  * Do not grant write access to ConfigMaps in ClusterRoles, which apply globally across all namespaces. Use RoleBindings to limit these permissions to specific namespaces.\n* Admission Control\n  * Gatekeeper\n  * Enable NodeRestriction admission plugin to limit a kubelet to modify its own node) pods and pod status\n  * AlwaysPullImages\n  * DenyEscalatingExec\n  * ResourceQuota\n  * LimitRanger\n* Pod security. Admins can control specific actions.\n  * Pod security policy\n  * Restrict the containers that can run as privileged (Delete the default pod security policy)\n  * Do not run processes in containers as root\n  * Do not allow privileged escalation\n  * Restrict the use of hostPath or if hostPath is necessary restrict which prefixes can be used and configure the volume as read-only (By default pods that run as root will have write access to the file system exposed by hostPath) prevent symbolic links threat\n  * Set requests and limits for each container to avoid resource contention and DoS attacks\nQuality Of Service (QoS)\n  * Privileged: false\n  * runAsUser:    rule: 'MustRunAsNonRoot'\n  * AllowPrivilegeEscalation=false\n* Multi-tenancy\n  * Namespace / RBAC\n  * Node selector\n  * Anti-Affinity Rules\n  * Taints / Tolerations\n* Network security\n  * Network policies. The default is that all pods talk to all pods. Consider changing it.\n  * Traffic control\n  * Network Policies (Calico)\n    * Create a default deny policy\n    * Create a rule to allow DNS queries\n    * Incrementally add rules to selectively allow the flow of traffic between namespaces/pods\n    * Log network traffic metadata\n    * Use encryption with AWS load balancers\n  * Security Groups\n  * Encryption in transit\n  * Service Mesh\n  * Container Network Interfaces (CNIs)\n  * Nitro Instances\n* Kubernetes secrets. Use secrets to store sensitive data instead of config maps.\n* ETCD\n  * PKI-based authentication for etcd\n  * Encryption at rest\n  * etcd peer-to-peer TLS\n  * Kubernetes API to etcd cluster TLS\n* Image Security\n  * Private registries\n  * Image signing (use only signed images from trusted registry)\n  * Image vulnerability check\n* Container security\n  * Dockerfile\n  * Do not expose the Docker daemon socket\n  * Set a non-root user\n  * Add –no-new-privileges flag\n  * Prevent Docker in docker (DIND)\n  * Docker Bench for Security\n  * Preventing containers from loading unwanted kernel modules\n    * /etc/modprobe.d/kubernetes-blacklist.conf\n* Runtime security\n  * SELinux\n  * AppArmor (EX: enforce AppArmor profiles on pods via Pod Security Policies. Prevent the attack pods from writing to files in the host’s filesystem)\n  * Seccomp \n  * Falco\n* Detective Controls (Audit logging. Watch them!)\n  * Auditing and logging\n  * Enable audit logs\n  * Create alarms for suspicious events\n  * Analyzing Log Data with CloudWatch Logs Insights\n  * Audit your CloudTrail logs (IRSA)\n  * Falco log\n  * Audit all the container's activity\n* Infrastructure Security\n  * Use an OS optimized for running containers\n  * Treat your infrastructure as immutable and automate the replacement of your worker nodes\n  * Periodically run kube-bench to verify compliance with CIS benchmarks for Kubernetes\n  * Minimize access to worker nodes\n  * Deploy workers onto private subnets\n  * Run Amazon Inspector to assess hosts for exposure, vulnerabilities, and deviations from best practices\n  * Harden the host (always patch)\n  * Separate partitions for containers\n* Defense\n  * Don’t allow privileged Pods\n  * Don't allow a container to become root\n  * Don’t allow host mounts at all\n  * Consider a network plugin or Network Policy for segmentation\n  * Only use images and registries that you trust and don’t rely on Docker Hub as a trusted source\n  * Keep roles and role bindings as strict as possible\n  * Don’t automount Service Tokens into Pods if your services don’t need to communicate to the API\n  * Consider abstracting direct console access to the cluster away (ie Terraform, Spinnaker) so that none of your developers have cluster-admin permission.\n\n## Kubernetes hunting tools\n* [kubiscan](https://github.com/cyberark/KubiScan)\n* [Kube hunter](https://github.com/aquasecurity/kube-hunter)\n* [Kube bench](https://github.com/aquasecurity/kube-bench)\n* [kubeaudit](https://github.com/Shopify/kubeaudit) \n* [kubescore](https://github.com/zegl/kube-score)\n* [checkov](https://github.com/bridgecrewio/checkov)\n* [kubesec](https://github.com/controlplaneio/kubesec)\n* [kubesploit](https://github.com/cyberark/kubesploit)\n* [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsunweb3sec%2Fkubernetes-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsunweb3sec%2Fkubernetes-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsunweb3sec%2Fkubernetes-security/lists"}