├── .gitignore ├── LICENSE ├── README.md ├── mdbook ├── .gitignore ├── book.toml ├── css │ └── custom.css └── src │ ├── SUMMARY.md │ ├── assets │ └── images │ │ ├── components-of-kubernetes.png │ │ └── simple-threat-model.png │ ├── cis-benchmark │ ├── docker.md │ └── kubernetes.md │ ├── introduction.md │ ├── kubernetes │ ├── childrens-guide-to-kubernetes.md │ ├── common-resources.md │ ├── deploying-app-using-manifest.md │ ├── hands-on-usecases.md │ ├── images │ │ ├── delete-deploy.png │ │ ├── deploy-app-get-pods.png │ │ ├── kubectl-auth-can-i.png │ │ ├── kubectl-cluster-info.png │ │ ├── kubectl-combined.png │ │ ├── kubectl-delete-pod.png │ │ ├── kubectl-deploy-portfwd.png │ │ ├── kubectl-describe-pod.png │ │ ├── kubectl-exec.png │ │ ├── kubectl-explain.png │ │ ├── kubectl-get-secret-yaml.png │ │ ├── kubectl-logs.png │ │ ├── kubectl-namespace.png │ │ ├── kubectl-pods-wide.png │ │ ├── kubectl-pods.png │ │ ├── kubernetes-overview.png │ │ ├── nginx-site.png │ │ └── update-deployment.png │ ├── introduction.md │ └── playground.md │ ├── references-resources │ └── readme.md │ ├── security-testing │ ├── auth │ │ └── index.md │ ├── cluster │ │ └── index.md │ ├── container │ │ └── index.md │ ├── discovery │ │ ├── fingerprint-master.md │ │ ├── fingerprint-worker.md │ │ └── index.md │ ├── index.md │ └── runtime │ │ └── index.md │ └── threat-model │ ├── actors.md │ ├── how-to-use.md │ ├── introduction.md │ ├── system-architecture.md │ ├── terminology.md │ └── trust-boundaries.md └── netlify.toml /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Created by https://www.toptal.com/developers/gitignore/api/macos,linux,git,mdbook 3 | # Edit at https://www.toptal.com/developers/gitignore?templates=macos,linux,git,mdbook 4 | 5 | ### Git ### 6 | # Created by git for backups. To disable backups in Git: 7 | # $ git config --global mergetool.keepBackup false 8 | *.orig 9 | 10 | # Created by git when using merge tools for conflicts 11 | *.BACKUP.* 12 | *.BASE.* 13 | *.LOCAL.* 14 | *.REMOTE.* 15 | *_BACKUP_*.txt 16 | *_BASE_*.txt 17 | *_LOCAL_*.txt 18 | *_REMOTE_*.txt 19 | 20 | ### Linux ### 21 | *~ 22 | 23 | # temporary files which can be created if a process still has a handle open of a deleted file 24 | .fuse_hidden* 25 | 26 | # KDE directory preferences 27 | .directory 28 | 29 | # Linux trash folder which might appear on any partition or disk 30 | .Trash-* 31 | 32 | # .nfs files are created when an open file is removed but is still being accessed 33 | .nfs* 34 | 35 | ### macOS ### 36 | # General 37 | .DS_Store 38 | .AppleDouble 39 | .LSOverride 40 | 41 | # Icon must end with two \r 42 | Icon 43 | 44 | # Thumbnails 45 | ._* 46 | 47 | # Files that might appear in the root of a volume 48 | .DocumentRevisions-V100 49 | .fseventsd 50 | .Spotlight-V100 51 | .TemporaryItems 52 | .Trashes 53 | .VolumeIcon.icns 54 | .com.apple.timemachine.donotpresent 55 | 56 | # Directories potentially created on remote AFP share 57 | .AppleDB 58 | .AppleDesktop 59 | Network Trash Folder 60 | Temporary Items 61 | .apdisk 62 | 63 | ### MdBook ### 64 | book 65 | 66 | 67 | # End of https://www.toptal.com/developers/gitignore/api/macos,linux,git,mdbook 68 | 69 | ### Custom 70 | mdbook/book/* 71 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution-ShareAlike 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-ShareAlike 4.0 International Public 58 | License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-ShareAlike 4.0 International Public License ("Public 63 | License"). To the extent this Public License may be interpreted as a 64 | contract, You are granted the Licensed Rights in consideration of Your 65 | acceptance of these terms and conditions, and the Licensor grants You 66 | such rights in consideration of benefits the Licensor receives from 67 | making the Licensed Material available under these terms and 68 | conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Adapter's License means the license You apply to Your Copyright 84 | and Similar Rights in Your contributions to Adapted Material in 85 | accordance with the terms and conditions of this Public License. 86 | 87 | c. BY-SA Compatible License means a license listed at 88 | creativecommons.org/compatiblelicenses, approved by Creative 89 | Commons as essentially the equivalent of this Public License. 90 | 91 | d. Copyright and Similar Rights means copyright and/or similar rights 92 | closely related to copyright including, without limitation, 93 | performance, broadcast, sound recording, and Sui Generis Database 94 | Rights, without regard to how the rights are labeled or 95 | categorized. For purposes of this Public License, the rights 96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 97 | Rights. 98 | 99 | e. Effective Technological Measures means those measures that, in the 100 | absence of proper authority, may not be circumvented under laws 101 | fulfilling obligations under Article 11 of the WIPO Copyright 102 | Treaty adopted on December 20, 1996, and/or similar international 103 | agreements. 104 | 105 | f. Exceptions and Limitations means fair use, fair dealing, and/or 106 | any other exception or limitation to Copyright and Similar Rights 107 | that applies to Your use of the Licensed Material. 108 | 109 | g. License Elements means the license attributes listed in the name 110 | of a Creative Commons Public License. The License Elements of this 111 | Public License are Attribution and ShareAlike. 112 | 113 | h. Licensed Material means the artistic or literary work, database, 114 | or other material to which the Licensor applied this Public 115 | License. 116 | 117 | i. Licensed Rights means the rights granted to You subject to the 118 | terms and conditions of this Public License, which are limited to 119 | all Copyright and Similar Rights that apply to Your use of the 120 | Licensed Material and that the Licensor has authority to license. 121 | 122 | j. Licensor means the individual(s) or entity(ies) granting rights 123 | under this Public License. 124 | 125 | k. Share means to provide material to the public by any means or 126 | process that requires permission under the Licensed Rights, such 127 | as reproduction, public display, public performance, distribution, 128 | dissemination, communication, or importation, and to make material 129 | available to the public including in ways that members of the 130 | public may access the material from a place and at a time 131 | individually chosen by them. 132 | 133 | l. Sui Generis Database Rights means rights other than copyright 134 | resulting from Directive 96/9/EC of the European Parliament and of 135 | the Council of 11 March 1996 on the legal protection of databases, 136 | as amended and/or succeeded, as well as other essentially 137 | equivalent rights anywhere in the world. 138 | 139 | m. You means the individual or entity exercising the Licensed Rights 140 | under this Public License. Your has a corresponding meaning. 141 | 142 | 143 | Section 2 -- Scope. 144 | 145 | a. License grant. 146 | 147 | 1. Subject to the terms and conditions of this Public License, 148 | the Licensor hereby grants You a worldwide, royalty-free, 149 | non-sublicensable, non-exclusive, irrevocable license to 150 | exercise the Licensed Rights in the Licensed Material to: 151 | 152 | a. reproduce and Share the Licensed Material, in whole or 153 | in part; and 154 | 155 | b. produce, reproduce, and Share Adapted Material. 156 | 157 | 2. Exceptions and Limitations. For the avoidance of doubt, where 158 | Exceptions and Limitations apply to Your use, this Public 159 | License does not apply, and You do not need to comply with 160 | its terms and conditions. 161 | 162 | 3. Term. The term of this Public License is specified in Section 163 | 6(a). 164 | 165 | 4. Media and formats; technical modifications allowed. The 166 | Licensor authorizes You to exercise the Licensed Rights in 167 | all media and formats whether now known or hereafter created, 168 | and to make technical modifications necessary to do so. The 169 | Licensor waives and/or agrees not to assert any right or 170 | authority to forbid You from making technical modifications 171 | necessary to exercise the Licensed Rights, including 172 | technical modifications necessary to circumvent Effective 173 | Technological Measures. For purposes of this Public License, 174 | simply making modifications authorized by this Section 2(a) 175 | (4) never produces Adapted Material. 176 | 177 | 5. Downstream recipients. 178 | 179 | a. Offer from the Licensor -- Licensed Material. Every 180 | recipient of the Licensed Material automatically 181 | receives an offer from the Licensor to exercise the 182 | Licensed Rights under the terms and conditions of this 183 | Public License. 184 | 185 | b. Additional offer from the Licensor -- Adapted Material. 186 | Every recipient of Adapted Material from You 187 | automatically receives an offer from the Licensor to 188 | exercise the Licensed Rights in the Adapted Material 189 | under the conditions of the Adapter's License You apply. 190 | 191 | c. No downstream restrictions. You may not offer or impose 192 | any additional or different terms or conditions on, or 193 | apply any Effective Technological Measures to, the 194 | Licensed Material if doing so restricts exercise of the 195 | Licensed Rights by any recipient of the Licensed 196 | Material. 197 | 198 | 6. No endorsement. Nothing in this Public License constitutes or 199 | may be construed as permission to assert or imply that You 200 | are, or that Your use of the Licensed Material is, connected 201 | with, or sponsored, endorsed, or granted official status by, 202 | the Licensor or others designated to receive attribution as 203 | provided in Section 3(a)(1)(A)(i). 204 | 205 | b. Other rights. 206 | 207 | 1. Moral rights, such as the right of integrity, are not 208 | licensed under this Public License, nor are publicity, 209 | privacy, and/or other similar personality rights; however, to 210 | the extent possible, the Licensor waives and/or agrees not to 211 | assert any such rights held by the Licensor to the limited 212 | extent necessary to allow You to exercise the Licensed 213 | Rights, but not otherwise. 214 | 215 | 2. Patent and trademark rights are not licensed under this 216 | Public License. 217 | 218 | 3. To the extent possible, the Licensor waives any right to 219 | collect royalties from You for the exercise of the Licensed 220 | Rights, whether directly or through a collecting society 221 | under any voluntary or waivable statutory or compulsory 222 | licensing scheme. In all other cases the Licensor expressly 223 | reserves any right to collect such royalties. 224 | 225 | 226 | Section 3 -- License Conditions. 227 | 228 | Your exercise of the Licensed Rights is expressly made subject to the 229 | following conditions. 230 | 231 | a. Attribution. 232 | 233 | 1. If You Share the Licensed Material (including in modified 234 | form), You must: 235 | 236 | a. retain the following if it is supplied by the Licensor 237 | with the Licensed Material: 238 | 239 | i. identification of the creator(s) of the Licensed 240 | Material and any others designated to receive 241 | attribution, in any reasonable manner requested by 242 | the Licensor (including by pseudonym if 243 | designated); 244 | 245 | ii. a copyright notice; 246 | 247 | iii. a notice that refers to this Public License; 248 | 249 | iv. a notice that refers to the disclaimer of 250 | warranties; 251 | 252 | v. a URI or hyperlink to the Licensed Material to the 253 | extent reasonably practicable; 254 | 255 | b. indicate if You modified the Licensed Material and 256 | retain an indication of any previous modifications; and 257 | 258 | c. indicate the Licensed Material is licensed under this 259 | Public License, and include the text of, or the URI or 260 | hyperlink to, this Public License. 261 | 262 | 2. You may satisfy the conditions in Section 3(a)(1) in any 263 | reasonable manner based on the medium, means, and context in 264 | which You Share the Licensed Material. For example, it may be 265 | reasonable to satisfy the conditions by providing a URI or 266 | hyperlink to a resource that includes the required 267 | information. 268 | 269 | 3. If requested by the Licensor, You must remove any of the 270 | information required by Section 3(a)(1)(A) to the extent 271 | reasonably practicable. 272 | 273 | b. ShareAlike. 274 | 275 | In addition to the conditions in Section 3(a), if You Share 276 | Adapted Material You produce, the following conditions also apply. 277 | 278 | 1. The Adapter's License You apply must be a Creative Commons 279 | license with the same License Elements, this version or 280 | later, or a BY-SA Compatible License. 281 | 282 | 2. You must include the text of, or the URI or hyperlink to, the 283 | Adapter's License You apply. You may satisfy this condition 284 | in any reasonable manner based on the medium, means, and 285 | context in which You Share Adapted Material. 286 | 287 | 3. You may not offer or impose any additional or different terms 288 | or conditions on, or apply any Effective Technological 289 | Measures to, Adapted Material that restrict exercise of the 290 | rights granted under the Adapter's License You apply. 291 | 292 | 293 | Section 4 -- Sui Generis Database Rights. 294 | 295 | Where the Licensed Rights include Sui Generis Database Rights that 296 | apply to Your use of the Licensed Material: 297 | 298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 299 | to extract, reuse, reproduce, and Share all or a substantial 300 | portion of the contents of the database; 301 | 302 | b. if You include all or a substantial portion of the database 303 | contents in a database in which You have Sui Generis Database 304 | Rights, then the database in which You have Sui Generis Database 305 | Rights (but not its individual contents) is Adapted Material, 306 | 307 | including for purposes of Section 3(b); and 308 | c. You must comply with the conditions in Section 3(a) if You Share 309 | all or a substantial portion of the contents of the database. 310 | 311 | For the avoidance of doubt, this Section 4 supplements and does not 312 | replace Your obligations under this Public License where the Licensed 313 | Rights include other Copyright and Similar Rights. 314 | 315 | 316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 317 | 318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 328 | 329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 338 | 339 | c. The disclaimer of warranties and limitation of liability provided 340 | above shall be interpreted in a manner that, to the extent 341 | possible, most closely approximates an absolute disclaimer and 342 | waiver of all liability. 343 | 344 | 345 | Section 6 -- Term and Termination. 346 | 347 | a. This Public License applies for the term of the Copyright and 348 | Similar Rights licensed here. However, if You fail to comply with 349 | this Public License, then Your rights under this Public License 350 | terminate automatically. 351 | 352 | b. Where Your right to use the Licensed Material has terminated under 353 | Section 6(a), it reinstates: 354 | 355 | 1. automatically as of the date the violation is cured, provided 356 | it is cured within 30 days of Your discovery of the 357 | violation; or 358 | 359 | 2. upon express reinstatement by the Licensor. 360 | 361 | For the avoidance of doubt, this Section 6(b) does not affect any 362 | right the Licensor may have to seek remedies for Your violations 363 | of this Public License. 364 | 365 | c. For the avoidance of doubt, the Licensor may also offer the 366 | Licensed Material under separate terms or conditions or stop 367 | distributing the Licensed Material at any time; however, doing so 368 | will not terminate this Public License. 369 | 370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 371 | License. 372 | 373 | 374 | Section 7 -- Other Terms and Conditions. 375 | 376 | a. The Licensor shall not be bound by any additional or different 377 | terms or conditions communicated by You unless expressly agreed. 378 | 379 | b. Any arrangements, understandings, or agreements regarding the 380 | Licensed Material not stated herein are separate from and 381 | independent of the terms and conditions of this Public License. 382 | 383 | 384 | Section 8 -- Interpretation. 385 | 386 | a. For the avoidance of doubt, this Public License does not, and 387 | shall not be interpreted to, reduce, limit, restrict, or impose 388 | conditions on any use of the Licensed Material that could lawfully 389 | be made without permission under this Public License. 390 | 391 | b. To the extent possible, if any provision of this Public License is 392 | deemed unenforceable, it shall be automatically reformed to the 393 | minimum extent necessary to make it enforceable. If the provision 394 | cannot be reformed, it shall be severed from this Public License 395 | without affecting the enforceability of the remaining terms and 396 | conditions. 397 | 398 | c. No term or condition of this Public License will be waived and no 399 | failure to comply consented to unless expressly agreed to by the 400 | Licensor. 401 | 402 | d. Nothing in this Public License constitutes or may be interpreted 403 | as a limitation upon, or waiver of, any privileges and immunities 404 | that apply to the Licensor or You, including from the legal 405 | processes of any jurisdiction or authority. 406 | 407 | 408 | ======================================================================= 409 | 410 | Creative Commons is not a party to its public licenses. 411 | Notwithstanding, Creative Commons may elect to apply one of its public 412 | licenses to material it publishes and in those instances will be 413 | considered the “Licensor.” The text of the Creative Commons public 414 | licenses is dedicated to the public domain under the CC0 Public Domain 415 | Dedication. Except for the limited purpose of indicating that material 416 | is shared under a Creative Commons public license or as otherwise 417 | permitted by the Creative Commons policies published at 418 | creativecommons.org/policies, Creative Commons does not authorize the 419 | use of the trademark "Creative Commons" or any other trademark or logo 420 | of Creative Commons without its prior written consent including, 421 | without limitation, in connection with any unauthorized modifications 422 | to any of its public licenses or any other arrangements, 423 | understandings, or agreements concerning use of licensed material. For 424 | the avoidance of doubt, this paragraph does not form part of the public 425 | licenses. 426 | 427 | Creative Commons may be contacted at creativecommons.org. 428 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OWASP KSTG 2 | OWASP Kubernetes Security Testing Guide 3 | 4 | [![License: CC BY-SA 4.0](https://licensebuttons.net/l/by-sa/4.0/80x15.png)](https://creativecommons.org/licenses/by-sa/4.0/) 5 | 6 | ## Our Vision 7 | 8 | > Create a comprehensive manual for Kubernetes Cluster Security Assessment 9 | 10 | We are creating a comprehensive testing guide for Kubernetes cluster security assessment that covers a top down approach to assess the security of a cluster. The guide include methodology, tools, techniques and procedures (TTP) to execute an assessment that enables a tester to deliver consistent and complete results. 11 | 12 | ## OWASP Project 13 | 14 | https://owasp.org/www-project-kubernetes-security-testing-guide/ 15 | 16 | ## Building Book 17 | 18 | > A continuous build of the book is available in https://owasp-kstg.netlify.app/ 19 | 20 | [mdBook](https://github.com/rust-lang/mdBook) is required to build the book. 21 | 22 | ```bash 23 | cd mdbook && mdbook build 24 | ``` 25 | 26 | ## Contributors 27 | 28 | * [Madhu Akula](https://twitter.com/madhuakula) 29 | * [Abhisek Datta](https://twitter.com/abh1sek) 30 | 31 | -------------------------------------------------------------------------------- /mdbook/.gitignore: -------------------------------------------------------------------------------- 1 | book 2 | -------------------------------------------------------------------------------- /mdbook/book.toml: -------------------------------------------------------------------------------- 1 | [book] 2 | authors = ["Madhu Akula", "Abhisek Datta"] 3 | language = "en" 4 | multilingual = false 5 | src = "src" 6 | title = "Kubernetes Security Testing Guide" 7 | 8 | [output.html] 9 | additional-css = ["css/custom.css"] 10 | -------------------------------------------------------------------------------- /mdbook/css/custom.css: -------------------------------------------------------------------------------- 1 | table { 2 | width: 100% 3 | } 4 | -------------------------------------------------------------------------------- /mdbook/src/SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | - [Introduction](./introduction.md) 4 | - [Kubernetes Introduction](kubernetes/introduction.md) 5 | - [The Children's Illustrated Guide to Kubernetes](kubernetes/childrens-guide-to-kubernetes.md) 6 | - [High level overview of common resources](kubernetes/common-resources.md) 7 | - [Creating a playground with Katacoda](kubernetes/playground.md) 8 | - [Hands-on common use-cases](kubernetes/hands-on-usecases.md) 9 | - [Deploying an application using manifest](kubernetes/deploying-app-using-manifest.md) 10 | - [Threat Model](threat-model/introduction.md) 11 | - [Terminology](threat-model/terminology.md) 12 | - [Threat Actors](threat-model/actors.md) 13 | - [Trust Boundaries](threat-model/trust-boundaries.md) 14 | - [System Architecture](threat-model/system-architecture.md) 15 | - [Using the Threat Model](threat-model/how-to-use.md) 16 | - [Kubernetes Security Testing](security-testing/index.md) 17 | - [Discovery](security-testing/discovery/index.md) 18 | - [Fingerprinting Master Node](security-testing/discovery/fingerprint-master.md) 19 | - [Fingerprinting Worker Node](security-testing/discovery/fingerprint-worker.md) 20 | - [Cluster Exposed Service Discovery](security-testing/discovery/index.md) 21 | - [Authentication and Authorization Testing](security-testing/auth/index.md) 22 | - [Cluster Testing](security-testing/cluster/index.md) 23 | - [Container Testing](security-testing/container/index.md) 24 | - [Runtime Testing](security-testing/runtime/index.md) 25 | - [CIS Benchmark Audit for Kubernetes](cis-benchmark/kubernetes.md) 26 | - [CIS Benchmark Audit for Docker](cis-benchmark/docker.md) 27 | - [References & Resources](references-resources/readme.md) 28 | -------------------------------------------------------------------------------- /mdbook/src/assets/images/components-of-kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/assets/images/components-of-kubernetes.png -------------------------------------------------------------------------------- /mdbook/src/assets/images/simple-threat-model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/assets/images/simple-threat-model.png -------------------------------------------------------------------------------- /mdbook/src/cis-benchmark/docker.md: -------------------------------------------------------------------------------- 1 | # CIS Benchmark Audit for Docker 2 | -------------------------------------------------------------------------------- /mdbook/src/cis-benchmark/kubernetes.md: -------------------------------------------------------------------------------- 1 | # CIS Benchmark Audit for Docker 2 | -------------------------------------------------------------------------------- /mdbook/src/introduction.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | The Kubernetes Security Testing Guide (KSTG) aims to be a comprehensive testing guide for Kubernetes cluster security assessment that covers a top down approach to assess the security of a cluster. The guide include methodology, tools, techniques and procedures (TTP) to execute an assessment that enables a tester to deliver consistent and complete results. 4 | 5 | While developed primarily for security testers, it can help DevSecOps Teams understand attacker Tactics, Techniques and Procedures (TTP) and design effective countermeasures. 6 | 7 | ## Reference 8 | 9 | * https://owasp.org/www-project-kubernetes-security-testing-guide/ 10 | -------------------------------------------------------------------------------- /mdbook/src/kubernetes/childrens-guide-to-kubernetes.md: -------------------------------------------------------------------------------- 1 | # The Children's Illustrated Guide to Kubernetes 2 | 3 | [![The Illustrated Children's Guide to Kubernetes](https://img.youtube.com/vi/4ht22ReBjno/0.jpg)](https://www.youtube.com/watch?v=4ht22ReBjno) 4 | 5 | source: [https://www.youtube.com/watch?v=4ht22ReBjno](https://www.youtube.com/watch?v=4ht22ReBjno) 6 | -------------------------------------------------------------------------------- /mdbook/src/kubernetes/common-resources.md: -------------------------------------------------------------------------------- 1 | # High level overview of common resources 2 | 3 | ![Kubernetes overview](images/kubernetes-overview.png) 4 | 5 | Image source: Khtan66 [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0"), [from Wikimedia Commons](https://commons.wikimedia.org/wiki/File:Kubernetes.png) 6 | 7 | - To work with Kubernetes, you use Kubernetes API objects to describe your cluster’s desired state 8 | - You set your desired state by creating objects using the Kubernetes API, typically via the command-line interface, `kubectl` 9 | - You can also use the Kubernetes API directly to interact with the cluster and set or modify your desired state 10 | - Kubernetes Control Plane works to make the cluster’s current state match the desired state 11 | - Kubernetes performs a variety of tasks automatically 12 | - such as starting or restarting containers 13 | - scaling the number of replicas of a given application 14 | - and a lot more 15 | 16 | ## Kubernetes Master 17 | 18 | The Kubernetes Master is a collection of three processes that run on a single node in your cluster, which is designated as the master node. Those processes are 19 | 20 | - [kube-apiserver](https://kubernetes.io/docs/admin/kube-apiserver/) 21 | - [kube-controller-manager](https://kubernetes.io/docs/admin/kube-controller-manager/) 22 | - [kube-scheduler](https://kubernetes.io/docs/admin/kube-scheduler/) 23 | 24 | ## Kubernetes Node 25 | 26 | Each individual non-master node in your cluster runs two processes: 27 | 28 | - [kubelet](https://kubernetes.io/docs/admin/kubelet/), which communicates with the Kubernetes Master 29 | - [kube-proxy](https://kubernetes.io/docs/admin/kube-proxy/), a network proxy which reflects Kubernetes networking services on each node 30 | 31 | ## Kubernetes Objects 32 | 33 | Kubernetes contains a number of abstractions that represent the state of your system. These abstractions are represented by objects in the Kubernetes API; see the [Kubernetes Objects overview](https://kubernetes.io/docs/concepts/abstractions/overview/) for more details. 34 | 35 | ### Basic Objects 36 | 37 | The basic Kubernetes objects include: 38 | 39 | - [Pod](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) 40 | - [Service](https://kubernetes.io/docs/concepts/services-networking/service/) 41 | - [Volume](https://kubernetes.io/docs/concepts/storage/volumes/) 42 | - [Namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) 43 | 44 | ### Higher Level Abstractions 45 | 46 | In addition, Kubernetes contains a number of higher-level abstractions called Controllers. Controllers build upon the basic objects, and provide additional functionality and convenience features. They include 47 | 48 | - [ReplicaSet](https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/) 49 | - [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) 50 | - [StatefulSet](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) 51 | - [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) 52 | - [Job](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) 53 | -------------------------------------------------------------------------------- /mdbook/src/kubernetes/deploying-app-using-manifest.md: -------------------------------------------------------------------------------- 1 | # Deploying simple application in Kubernetes Cluster using YAML 2 | 3 | * To create a basic nginx deployment with 2 replicas, save this file as `nginx-deployment.yaml` using your text editor 4 | 5 | ```yaml 6 | apiVersion: apps/v1 7 | kind: Deployment 8 | metadata: 9 | name: nginx-deployment 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: nginx 14 | replicas: 2 15 | template: 16 | metadata: 17 | labels: 18 | app: nginx 19 | spec: 20 | containers: 21 | - name: nginx 22 | image: nginx:1.7.9 23 | ports: 24 | - containerPort: 80 25 | ``` 26 | 27 | * Run the apply command to perform the changes in cluster 28 | 29 | ```bash 30 | kubectl apply -f nginx-deployment.yaml 31 | ``` 32 | 33 | * Get the pods related to this deployment 34 | 35 | ```bash 36 | kubectl get pods --selector app=nginx 37 | ``` 38 | 39 | ![](images/deploy-app-get-pods.png) 40 | 41 | * Update the deployment file with `replicas` to 3 in `nginx-deployment.yaml` using your text editor 42 | 43 | ```yaml 44 | ... 45 | replicas: 3 46 | ... 47 | ``` 48 | 49 | * Apply the changes 50 | 51 | ```bash 52 | kubectl apply -f nginx-deployment.yaml 53 | kubectl get pods --selector app=nginx 54 | ``` 55 | 56 | ![](images/update-deployment.png) 57 | 58 | * Expose a service within the cluster 59 | * Create a file `nginx-service.yml` with the following content 60 | 61 | ```yaml 62 | apiVersion: v1 63 | kind: Service 64 | metadata: 65 | name: nginx-deployment 66 | spec: 67 | ports: 68 | - port: 80 69 | protocol: TCP 70 | targetPort: 80 71 | selector: 72 | app: nginx 73 | type: ClusterIP 74 | ``` 75 | 76 | * Create the service in the cluster 77 | 78 | ```bash 79 | kubectl apply -f nginx-service.yml 80 | ``` 81 | 82 | * Start a `port-foward` to access in-cluster service 83 | 84 | ```bash 85 | kubectl port-forward svc/nginx-deployment 8888:80 86 | ``` 87 | 88 | * From another terminal, access the service through the port forward 89 | 90 | ```bash 91 | curl http://localhost:8888/ 92 | ``` 93 | 94 | * Delete the deployment 95 | 96 | ```bash 97 | kubectl delete -f nginx-deployment.yaml 98 | ``` 99 | 100 | ![](images/delete-deploy.png) 101 | 102 | * Delete the service 103 | 104 | ```bash 105 | kubectl delete -f nginx-service.yml 106 | ``` 107 | 108 | ### References 109 | 110 | * [https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/](https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/) 111 | -------------------------------------------------------------------------------- /mdbook/src/kubernetes/hands-on-usecases.md: -------------------------------------------------------------------------------- 1 | # Hands-on common use-cases 2 | 3 | ## Getting started with `kubectl` CLI 4 | 5 | `kubectl` is a command line interface for running commands against Kubernetes clusters. `kubectl` is pronounced as `cube c t l`. Watch this talk for [The definitive pronunciation guide](https://www.youtube.com/watch?v=2wgAIvXpJqU) :) 6 | 7 | - Getting the kubernetes cluster information 8 | 9 | ```bash 10 | kubectl cluster-info 11 | ``` 12 | 13 | ![kubectl cluter info](images/kubectl-cluster-info.png) 14 | 15 | - Get information from nodes, pods, svc(services), ing(ingress), ns(namespace), deploy(deployments) 16 | 17 | ```bash 18 | kubectl get nodes 19 | kubectl get pods 20 | ``` 21 | 22 | ```bash 23 | kubectl get services 24 | ``` 25 | 26 | Bunch of these commands can use shortcuts. For example the rest of the commands are using their shortcuts. 27 | 28 | ```bash 29 | kubectl get svc 30 | kubectl get ing 31 | kubectl get ns 32 | kubectl get deploy 33 | ``` 34 | 35 | ![](images/kubectl-pods.png) 36 | 37 | - Getting more information 38 | 39 | ```bash 40 | kubectl get nodes -o wide 41 | kubectl get pods -o wide 42 | kubectl get svc -o wide 43 | kubectl get deploy -o wide 44 | ``` 45 | 46 | ![](images/kubectl-pods-wide.png) 47 | 48 | - Getting detailed information 49 | 50 | ```bash 51 | kubectl describe node 52 | kubectl describe pod 53 | kubectl describe svc 54 | kubectl describe ing 55 | kubectl describe ns 56 | kubectl describe deploy 57 | ``` 58 | 59 | ![](images/kubectl-describe-pod.png) 60 | 61 | - Detailed help for the sub command 62 | 63 | ```bash 64 | kubectl explain pod 65 | ``` 66 | 67 | ![](images/kubectl-explain.png) 68 | 69 | - Creating deployment using command line 70 | 71 | ```bash 72 | kubectl run nginxdeployment --image=nginx:alpine 73 | ``` 74 | 75 | - Port forward the pod to local system 76 | 77 | ```bash 78 | kubectl port-forward 1234:80 79 | ``` 80 | 81 | ![](images/kubectl-deploy-portfwd.png) 82 | 83 | ![](images/nginx-site.png) 84 | 85 | - Deleting pod 86 | 87 | ```bash 88 | kubectl delete pod 89 | kubectl delete deploy 90 | kubectl delete svc 91 | kubectl delete ing 92 | kubectl delete ns 93 | ``` 94 | 95 | ![](images/kubectl-delete-pod.png) 96 | 97 | - Shell into the pod 98 | 99 | ```bash 100 | kubectl exec -it sh 101 | ``` 102 | 103 | ![](images/kubectl-exec.png) 104 | 105 | - Looking for logs (stdout & stderr) 106 | 107 | ```bash 108 | kubectl logs 109 | kubectl logs -f 110 | ``` 111 | 112 | ![](images/kubectl-logs.png) 113 | 114 | - Combining multiple commands 115 | 116 | ```bash 117 | kubectl get pods,svc 118 | ``` 119 | 120 | ![](images/kubectl-combined.png) 121 | 122 | - Specifying with different namepsace 123 | 124 | ```bash 125 | kubectl get pods -n database 126 | ``` 127 | 128 | ![](images/kubectl-namespace.png) 129 | 130 | - Listing the API resources avialble 131 | 132 | ```bash 133 | kubectl api-resources 134 | ``` 135 | 136 | - Checking for the permission to do 137 | 138 | ```bash 139 | kubectl auth can-i create pods 140 | ``` 141 | 142 | ![](images/kubectl-auth-can-i.png) 143 | 144 | - Getting output in YAML format 145 | 146 | ```bash 147 | kubectl get secrets -o yaml 148 | ``` 149 | 150 | ![](images/kubectl-get-secret-yaml.png) 151 | 152 | ### References 153 | 154 | - [kubectl Cheat Sheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) 155 | - [Kubernetes CheatSheets In A4](https://github.com/dennyzhang/cheatsheet-kubernetes-A4) 156 | 157 | -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/delete-deploy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/delete-deploy.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/deploy-app-get-pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/deploy-app-get-pods.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-auth-can-i.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-auth-can-i.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-cluster-info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-cluster-info.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-combined.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-combined.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-delete-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-delete-pod.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-deploy-portfwd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-deploy-portfwd.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-describe-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-describe-pod.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-exec.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-explain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-explain.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-get-secret-yaml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-get-secret-yaml.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-logs.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-namespace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-namespace.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-pods-wide.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-pods-wide.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubectl-pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubectl-pods.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/kubernetes-overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/kubernetes-overview.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/nginx-site.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/nginx-site.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/images/update-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/kstg/5c79461b37798f85bb70380f80e611dd235d1220/mdbook/src/kubernetes/images/update-deployment.png -------------------------------------------------------------------------------- /mdbook/src/kubernetes/introduction.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Introduction 2 | 3 | ## Why Kubernetes 4 | 5 | A lot of developers have moved or are moving from a traditional world to a container based ecosystem. This allows developers to package their application code, dependencies and required libraries in a simple container and use it anywhere wherever there is a container runtime available. 6 | 7 | > An example of a container runtime is Docker 8 | 9 | At a minimum, Kubernetes can schedule and run application containers on clusters of physical or virtual machines. However, Kubernetes also allows developers to ‘cut the cord’ to physical and virtual machines, moving from a host-centric infrastructure to a container-centric infrastructure. 10 | 11 | This approach provides the full advantages and benefits inherent to containers. Kubernetes provides the infrastructure to build a truly container centric development environment. This is the primary reason developers love it. 12 | 13 | ## What is Kubernetes 14 | 15 | With Kubernetes, you are able to quickly and efficiently respond to customer demand 16 | 17 | - Deploy your applications quickly and predictably 18 | - Scale your applications on the fly 19 | - Roll out new features seamlessly 20 | - Limit hardware usage to required resources only 21 | - Our goal is to foster an ecosystem of components and tools that relieve the burden of running applications in public and private clouds 22 | 23 | > According to Brian Grant [Kubernetes is an open-source platform designed to automate deploying, scaling, and operating application containers](http://www.slideshare.net/BrianGrant11/wso2con-us-2015-kubernetes-a-platform-for-automating-deployment-scaling-and-operations). 24 | 25 | Kubernetes is 26 | 27 | - **Portable**: public, private, hybrid, multi-cloud 28 | - **Extensible**: modular, pluggable, hookable, composable 29 | - **Self-healing**: auto-placement, auto-restart, auto-replication, auto-scaling 30 | 31 | > Google started the Kubernetes project in 2014. Kubernetes builds upon a [decade and a half of experience that Google has with running production workloads at scale](https://research.google.com/pubs/pub43438.html), combined with best-of-breed ideas and practices from the community. 32 | 33 | ### Additional references for further reading 34 | 35 | - [https://aucouranton.com/2014/06/13/linux-containers-parallels-lxc-openvz-docker-and-more/](https://aucouranton.com/2014/06/13/linux-containers-parallels-lxc-openvz-docker-and-more/) 36 | - [https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/](https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/) 37 | -------------------------------------------------------------------------------- /mdbook/src/kubernetes/playground.md: -------------------------------------------------------------------------------- 1 | # Creating a Kubernetes playground with Katacoda 2 | 3 | We will get started by following the `Kubernetes Basics` from the official documentation which is hosted at [Kubernetes.io](https://kubernetes.io) 4 | 5 | This tutorial provides a walk through of the basics of the Kubernetes cluster orchestration system. 6 | 7 | Each module contains some background information on major Kubernetes features and concepts and includes an **interactive online tutorial**. This is great for practicing the basics. Did we mention that this is available to all without any charges so you can practice it whenever you feel like it? 8 | 9 | These interactive tutorials let you manage a simple cluster and its containerized applications for yourself. 10 | 11 | ## Creating a Cluster 12 | 13 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/create-cluster/cluster-interactive/) 14 | 15 | ## Deploying an App 16 | 17 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/) 18 | 19 | ## Exploring Your App 20 | 21 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/explore/explore-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/explore/explore-interactive/) 22 | 23 | ## Exposing Your App 24 | 25 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-interactive/) 26 | 27 | ## Scaling Your App 28 | 29 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/scale/scale-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/scale/scale-interactive/) 30 | 31 | ## Updating Your App 32 | 33 | - [https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-interactive/](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-interactive/) 34 | -------------------------------------------------------------------------------- /mdbook/src/references-resources/readme.md: -------------------------------------------------------------------------------- 1 | # References & Resources 2 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/auth/index.md: -------------------------------------------------------------------------------- 1 | # Authentication and Authorization 2 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/cluster/index.md: -------------------------------------------------------------------------------- 1 | # Cluster Testing 2 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/container/index.md: -------------------------------------------------------------------------------- 1 | # Container Testing 2 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/discovery/fingerprint-master.md: -------------------------------------------------------------------------------- 1 | # Fingerprinting Master Node 2 | 3 | The Kubernetes `kube-apiserver` exposes a REST API interface for cluster administrators to manage the cluster. This API server has distinct fingerprint, available to an unauthenticated user using which it is possible to fingerprint an API server. 4 | 5 | ## Version Endpoint 6 | 7 | | Threat Model Attribute | Value | 8 | |:---------------------- |:---------------------- | 9 | | Attacker Position | External | 10 | | Threat | Information Disclosure | 11 | 12 | The Kubernetes API server exposes a version endpoint to unauthenticated user using which it is possible to fingerprint the version of Kubernetes API server. 13 | 14 | ```bash 15 | curl -sk https://$API_HOST:$API_PORT/version 16 | ``` 17 | 18 | Produces output (example) 19 | 20 | ```json 21 | { 22 | "major": "1", 23 | "minor": "18", 24 | "gitVersion": "v1.18.2", 25 | "gitCommit": "52c56ce7a8272c798dbc29846288d7cd9fbae032", 26 | "gitTreeState": "clean", 27 | "buildDate": "2020-04-30T20:19:45Z", 28 | "goVersion": "go1.13.9", 29 | "compiler": "gc", 30 | "platform": "linux/amd64" 31 | } 32 | ``` 33 | 34 | A security tester can infer that the target is running `kube-apiserver` version `v1.18.2` based on the above JSON response from the API server. 35 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/discovery/fingerprint-worker.md: -------------------------------------------------------------------------------- 1 | # Fingerprinting Worker Node 2 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/discovery/index.md: -------------------------------------------------------------------------------- 1 | # Discovery 2 | 3 | The *discovery* section cover various techniques and procedures for discovering various components of a Kubernetes cluster. This primarily involves 4 | 5 | 1. Ability to discover master node(s) 6 | 2. Ability to discover worker node(s) 7 | 8 | ## Network Discovery 9 | 10 | Common ports for master node discovery 11 | 12 | | Port | Protocol | Service | 13 | | :-------------- | :------- | :-------------------------------------------------------------- | 14 | | 443, 6443, 8443 | TCP | Kubernetes API Server (`kube-apiserver`) | 15 | | 8080 | TCP | Kubernetes API Server insecure port (Listens on localhost only) | 16 | | 2379, 2380 | TCP | etcd server | 17 | 18 | Common ports for worker node discovery 19 | 20 | | Port | Protocol | Service | 21 | | :---------- | :------- | :------------------------------------ | 22 | | 10250 | TCP | Kubelet | 23 | | 10255 | TCP | Kubelet read-only port | 24 | | 30000-32767 | TCP | nodePort service port range (default) | 25 | 26 | Given the above network services information, Kubernetes master or worker nodes can be discovered by scanning a network CIDR for ports, for example: 27 | 28 | To discover master nodes 29 | 30 | ```bash 31 | nmap -Pn -sS -sV -p 443,6443,8443,8080,2379,2380 $CIDR 32 | ``` 33 | 34 | To discover worker nodes 35 | 36 | ```bash 37 | nmap -Pn -sS -sV -p 10250,10255 $CIDR 38 | ``` 39 | 40 | To discover `nodePort` exposed services 41 | 42 | ```bash 43 | nmap -Pn -sS -sV -p 30000-32767 $CIDR 44 | ``` 45 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/index.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Security Testing 2 | -------------------------------------------------------------------------------- /mdbook/src/security-testing/runtime/index.md: -------------------------------------------------------------------------------- 1 | # Runtime Testing 2 | -------------------------------------------------------------------------------- /mdbook/src/threat-model/actors.md: -------------------------------------------------------------------------------- 1 | # Threat Actors 2 | 3 | | Actor | Description | 4 | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | 5 | | External Attacker | An attacker who is external to the cluster and is unauthenticated | 6 | | Internal Attacker | An attacker who has some access in the cluster, such as an attacker with container access (Attacker in a Pod) | 7 | | Malicious Internal User | A user, such as administrator or developer, who uses their privileged position maliciously against the system, or stolen credentials used for the same. | 8 | | Administrator | An actual administrator of the system, tasked with operating and maintaining the cluster as a whole | 9 | | Developer | An application developer, who is deploying application to a cluster, either directly or through another user such as administrator | 10 | | End User | An external user of an application hosted by a cluster | 11 | 12 | We will primarily focus on two type of threat actors in *Kubernetes Security Testing Guide (KSTG)*, however we will refer to other threat actors as required. 13 | 14 | 1. External Attacker 15 | 2. Internal Attacker (Attacker in a Pod) 16 | 17 | ## Reference 18 | 19 | * https://github.com/kubernetes/community/blob/master/wg-security-audit/ 20 | -------------------------------------------------------------------------------- /mdbook/src/threat-model/how-to-use.md: -------------------------------------------------------------------------------- 1 | # Using the Threat Model 2 | 3 | A simplistic and reduced threat model is provided in this guide. The purpose is to enable a tester to determine which all tests are relevant depending of the context and scope of testing. For example, a *Blackbox Assessment* where no credential is available to the tester will not include any tests that require container level access in the cluster till valid credentials are obtained or provided. 4 | 5 | Following points must be consider while using a test case provided in this document 6 | 7 | * Each test case will be labelled with *attacker position* 8 | * Each test case will be labelled with *trust boundary* that the test affects or breaches 9 | * Tester must consider test cases based on level of access and *attacker position* label 10 | * Tester must consider test cases based on scope of testing and *trust boundary* label 11 | 12 | For example, given a test where 13 | 14 | * No cluster access is provided 15 | 16 | Any test that is labelled as `External Attacker` will be feasible for the tester. 17 | -------------------------------------------------------------------------------- /mdbook/src/threat-model/introduction.md: -------------------------------------------------------------------------------- 1 | # Threat Modelling 2 | 3 | > Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. 4 | 5 | Kubernetes is a complex, distributed system with multiple components. In order to perform an effective security testing, it is important to understand how different components interacts with each other and answer questions such as 6 | 7 | 1. Who are the attackers? 8 | 2. What can they attack? 9 | 3. How can they attack? 10 | 11 | We will present a high-level threat model in this document, which in turn will drive the different chapters in this document. The objective is to allow a tester to chose what is applicable and what is not based on the threat model and the level of access available to the tester. 12 | 13 | A simple threat model is presented below as an example. The intention is to get testers started with thinking in terms of a threat model. The threat model is further expanded in subsequent chapters. 14 | 15 | ![Simple Threat Model](../assets/images/simple-threat-model.png) 16 | 17 | A detailed threat model is already developed as part of a [security audit](https://github.com/kubernetes/community/tree/master/wg-security-audit) conducted by [Trail of Bits](https://www.trailofbits.com/) along with [Kubernetes Security Audit Working Group](https://github.com/kubernetes/community/tree/master/wg-security-audit). We refer to this threat model as required to conduct an effective security testing of a Kubernetes cluster. 18 | 19 | ## References 20 | 21 | * https://github.com/kubernetes/community/tree/master/wg-security-audit 22 | * https://owasp.org/www-community/Application_Threat_Modeling 23 | * https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html 24 | -------------------------------------------------------------------------------- /mdbook/src/threat-model/system-architecture.md: -------------------------------------------------------------------------------- 1 | # System Architecture 2 | 3 | The diagram below gives the high-level system architecture of Kubernetes 4 | 5 | ![Kubernetes Architecture](../assets/images/components-of-kubernetes.png) 6 | 7 | ## kube-apiserver 8 | 9 | TBD 10 | 11 | ## kube-controller-manager 12 | 13 | TBD 14 | 15 | ## kube-scheduler 16 | 17 | TBD 18 | 19 | ## etcd 20 | 21 | TBD 22 | 23 | ## kubelet 24 | 25 | TBD 26 | 27 | ## kube-proxy 28 | 29 | TBD 30 | 31 | ## Other 32 | 33 | ### Container Network Interface (CNI) 34 | 35 | TBD 36 | 37 | ### Container Runtime Interface (CRI) 38 | 39 | TBD 40 | -------------------------------------------------------------------------------- /mdbook/src/threat-model/terminology.md: -------------------------------------------------------------------------------- 1 | # Terminology 2 | 3 | TBD - Use OWASP Threat Modeling terminology. 4 | -------------------------------------------------------------------------------- /mdbook/src/threat-model/trust-boundaries.md: -------------------------------------------------------------------------------- 1 | # Trust Boundaries 2 | 3 | *Trust Boundary* or *Zone* segregates different components in a *Data Flow Diagram* based on sensitivity and level of access to critical assets in the system. The [Kubernetes Threat Model](https://github.com/kubernetes/community/raw/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf) by [Security Audit Working Group](https://github.com/kubernetes/community/raw/master/wg-security-audit/) defines the following trust boundaries which we will refer in the testing methodology 4 | 5 | | Zone | Description | 6 | | ----------------- | ---------------------------------------------------------------------------------------------------- | 7 | | Internet | The externally facing, wider internet zone | 8 | | API Server | The master component, usually exposed to cluster users, needed for interaction with `kubectl` | 9 | | Master Components | Internal components of the master node that works via. callbacks and subscriptions to the API Server | 10 | | Master Data | The master data layer that stores the cluster state. Example: `etcd` | 11 | | Worker | The worker components that is required to add a node in the cluster and to run containers | 12 | | Container | The containers being orchestrated by the cluster | 13 | -------------------------------------------------------------------------------- /netlify.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | command = "curl -L https://github.com/rust-lang/mdBook/releases/download/v0.3.7/mdbook-v0.3.7-x86_64-unknown-linux-gnu.tar.gz | tar xvz -C /tmp/ && cd mdbook && /tmp/mdbook build" 3 | publish = "mdbook/book" 4 | --------------------------------------------------------------------------------