├── .github ├── CODEOWNERS └── workflows │ └── ci-build-clusters.yml ├── Dockerfiles ├── customkindv1.19.16.dockerfile ├── customkindv1.20.15.dockerfile ├── customkindv1.21.14.dockerfile ├── customkindv1.30.0.dockerfile └── files │ └── helm ├── README.md ├── Scenario Setups ├── Unauthenticated-Kubernetes-Dashboard.md ├── etcd.md ├── insecureport.md ├── rwkubelet.md ├── ssh-to-cluster-admin.md ├── ssh-to-create-pod-easy.md ├── ssh-to-create-pod-hard.md ├── ssh-to-create-pod-multi-node.md ├── ssh-to-get-secrets.md ├── ssrf-to-insecure-port.md ├── tiller.md └── unauth-api-server.md ├── Scenario Walkthroughs ├── Unauthenticated-Kubernetes-Dashboard.md ├── etcd.md ├── insecureport.md ├── rwkubelet.md ├── ssh-to-cluster-admin.md ├── ssh-to-create-pod-easy.md ├── ssh-to-create-pod-hard.md ├── ssh-to-create-pod-multi-node.md ├── ssh-to-get-secrets.md ├── ssrf-to-insecure-port.md ├── tiller.md └── unauth-api-server.md ├── ansible_tasks ├── create_cluster_admin_service_account.yaml ├── install_helm.yml ├── install_python3_alpine_raw.yml ├── install_python3_raw.yml ├── make_default_service_account_cluster_admin.yaml ├── print_cluster_ip.yml ├── setup_helm.yml ├── setup_kind_custom_config.yaml ├── setup_kind_standard_config.yaml ├── setup_kubeconfig.yml ├── setup_old_kind_custom_config.yaml ├── setup_ssh_pod.yml └── setup_ssrf_pod.yml ├── attacker_manifests ├── key-dumper-pod.yml ├── ncat-reverse-shell-pod.yml ├── nodedaemon.yml ├── noderoot.yml └── privpod.yml ├── client-machine.yml ├── client_files ├── clientbashrc └── democlientbashrc ├── demo-client-machine.yml ├── demo-cluster.yml ├── etcd-noauth.yml ├── get-random-scenario.sh ├── helm └── helm-rbac-config.yml ├── insecure-port.yml ├── install_ansible_ubuntu.sh ├── kind └── kind ├── kubeadm_configs ├── demo.yml ├── etcd-noauth.yml ├── insecureport.yml ├── kube-dashboard.yml ├── localinsecureport.yml ├── multi-node-cluster.yml ├── rokubelet.yml └── rwkubelet.yml ├── manifests ├── daemonset-creator.yml ├── kubernetes-dashboard-demo.yaml ├── kubernetes-dashboard.yaml ├── ncat-reverse-shell-pod.yml ├── pod-creator.yml ├── pod-manager.yml ├── secret-reader.yml ├── sshserver.yml └── ssrfdeployment.yml ├── rokubelet.yml ├── rwkubelet-noauth.yml ├── ssh-to-cluster-admin.yml ├── ssh-to-create-daemonsets-hard.yml ├── ssh-to-create-pods-easy.yml ├── ssh-to-create-pods-hard.yml ├── ssh-to-create-pods-multi-node.yml ├── ssh-to-get-secrets.yml ├── ssrf-to-insecure-port.yml ├── test.yml ├── tiller-noauth.yml ├── unauth-api-server.yml └── unauth-kubernetes-dashboard.yml /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @raesene -------------------------------------------------------------------------------- /.github/workflows/ci-build-clusters.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/.github/workflows/ci-build-clusters.yml -------------------------------------------------------------------------------- /Dockerfiles/customkindv1.19.16.dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Dockerfiles/customkindv1.19.16.dockerfile -------------------------------------------------------------------------------- /Dockerfiles/customkindv1.20.15.dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Dockerfiles/customkindv1.20.15.dockerfile -------------------------------------------------------------------------------- /Dockerfiles/customkindv1.21.14.dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Dockerfiles/customkindv1.21.14.dockerfile -------------------------------------------------------------------------------- /Dockerfiles/customkindv1.30.0.dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Dockerfiles/customkindv1.30.0.dockerfile -------------------------------------------------------------------------------- /Dockerfiles/files/helm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Dockerfiles/files/helm -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/README.md -------------------------------------------------------------------------------- /Scenario Setups/Unauthenticated-Kubernetes-Dashboard.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/Unauthenticated-Kubernetes-Dashboard.md -------------------------------------------------------------------------------- /Scenario Setups/etcd.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/etcd.md -------------------------------------------------------------------------------- /Scenario Setups/insecureport.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/insecureport.md -------------------------------------------------------------------------------- /Scenario Setups/rwkubelet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/rwkubelet.md -------------------------------------------------------------------------------- /Scenario Setups/ssh-to-cluster-admin.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/ssh-to-cluster-admin.md -------------------------------------------------------------------------------- /Scenario Setups/ssh-to-create-pod-easy.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/ssh-to-create-pod-easy.md -------------------------------------------------------------------------------- /Scenario Setups/ssh-to-create-pod-hard.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/ssh-to-create-pod-hard.md -------------------------------------------------------------------------------- /Scenario Setups/ssh-to-create-pod-multi-node.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/ssh-to-create-pod-multi-node.md -------------------------------------------------------------------------------- /Scenario Setups/ssh-to-get-secrets.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/ssh-to-get-secrets.md -------------------------------------------------------------------------------- /Scenario Setups/ssrf-to-insecure-port.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/ssrf-to-insecure-port.md -------------------------------------------------------------------------------- /Scenario Setups/tiller.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/tiller.md -------------------------------------------------------------------------------- /Scenario Setups/unauth-api-server.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Setups/unauth-api-server.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/Unauthenticated-Kubernetes-Dashboard.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/Unauthenticated-Kubernetes-Dashboard.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/etcd.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/etcd.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/insecureport.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/insecureport.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/rwkubelet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/rwkubelet.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/ssh-to-cluster-admin.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/ssh-to-cluster-admin.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/ssh-to-create-pod-easy.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/ssh-to-create-pod-easy.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/ssh-to-create-pod-hard.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/ssh-to-create-pod-hard.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/ssh-to-create-pod-multi-node.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/ssh-to-create-pod-multi-node.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/ssh-to-get-secrets.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/ssh-to-get-secrets.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/ssrf-to-insecure-port.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/ssrf-to-insecure-port.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/tiller.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/tiller.md -------------------------------------------------------------------------------- /Scenario Walkthroughs/unauth-api-server.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/Scenario Walkthroughs/unauth-api-server.md -------------------------------------------------------------------------------- /ansible_tasks/create_cluster_admin_service_account.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/create_cluster_admin_service_account.yaml -------------------------------------------------------------------------------- /ansible_tasks/install_helm.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/install_helm.yml -------------------------------------------------------------------------------- /ansible_tasks/install_python3_alpine_raw.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/install_python3_alpine_raw.yml -------------------------------------------------------------------------------- /ansible_tasks/install_python3_raw.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/install_python3_raw.yml -------------------------------------------------------------------------------- /ansible_tasks/make_default_service_account_cluster_admin.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/make_default_service_account_cluster_admin.yaml -------------------------------------------------------------------------------- /ansible_tasks/print_cluster_ip.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/print_cluster_ip.yml -------------------------------------------------------------------------------- /ansible_tasks/setup_helm.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_helm.yml -------------------------------------------------------------------------------- /ansible_tasks/setup_kind_custom_config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_kind_custom_config.yaml -------------------------------------------------------------------------------- /ansible_tasks/setup_kind_standard_config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_kind_standard_config.yaml -------------------------------------------------------------------------------- /ansible_tasks/setup_kubeconfig.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_kubeconfig.yml -------------------------------------------------------------------------------- /ansible_tasks/setup_old_kind_custom_config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_old_kind_custom_config.yaml -------------------------------------------------------------------------------- /ansible_tasks/setup_ssh_pod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_ssh_pod.yml -------------------------------------------------------------------------------- /ansible_tasks/setup_ssrf_pod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ansible_tasks/setup_ssrf_pod.yml -------------------------------------------------------------------------------- /attacker_manifests/key-dumper-pod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/attacker_manifests/key-dumper-pod.yml -------------------------------------------------------------------------------- /attacker_manifests/ncat-reverse-shell-pod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/attacker_manifests/ncat-reverse-shell-pod.yml -------------------------------------------------------------------------------- /attacker_manifests/nodedaemon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/attacker_manifests/nodedaemon.yml -------------------------------------------------------------------------------- /attacker_manifests/noderoot.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/attacker_manifests/noderoot.yml -------------------------------------------------------------------------------- /attacker_manifests/privpod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/attacker_manifests/privpod.yml -------------------------------------------------------------------------------- /client-machine.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/client-machine.yml -------------------------------------------------------------------------------- /client_files/clientbashrc: -------------------------------------------------------------------------------- 1 | PS1="lab-client> " -------------------------------------------------------------------------------- /client_files/democlientbashrc: -------------------------------------------------------------------------------- 1 | PS1="demo-client> " -------------------------------------------------------------------------------- /demo-client-machine.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/demo-client-machine.yml -------------------------------------------------------------------------------- /demo-cluster.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/demo-cluster.yml -------------------------------------------------------------------------------- /etcd-noauth.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/etcd-noauth.yml -------------------------------------------------------------------------------- /get-random-scenario.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/get-random-scenario.sh -------------------------------------------------------------------------------- /helm/helm-rbac-config.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/helm/helm-rbac-config.yml -------------------------------------------------------------------------------- /insecure-port.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/insecure-port.yml -------------------------------------------------------------------------------- /install_ansible_ubuntu.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/install_ansible_ubuntu.sh -------------------------------------------------------------------------------- /kind/kind: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kind/kind -------------------------------------------------------------------------------- /kubeadm_configs/demo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/demo.yml -------------------------------------------------------------------------------- /kubeadm_configs/etcd-noauth.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/etcd-noauth.yml -------------------------------------------------------------------------------- /kubeadm_configs/insecureport.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/insecureport.yml -------------------------------------------------------------------------------- /kubeadm_configs/kube-dashboard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/kube-dashboard.yml -------------------------------------------------------------------------------- /kubeadm_configs/localinsecureport.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/localinsecureport.yml -------------------------------------------------------------------------------- /kubeadm_configs/multi-node-cluster.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/multi-node-cluster.yml -------------------------------------------------------------------------------- /kubeadm_configs/rokubelet.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/rokubelet.yml -------------------------------------------------------------------------------- /kubeadm_configs/rwkubelet.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/kubeadm_configs/rwkubelet.yml -------------------------------------------------------------------------------- /manifests/daemonset-creator.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/daemonset-creator.yml -------------------------------------------------------------------------------- /manifests/kubernetes-dashboard-demo.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/kubernetes-dashboard-demo.yaml -------------------------------------------------------------------------------- /manifests/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/kubernetes-dashboard.yaml -------------------------------------------------------------------------------- /manifests/ncat-reverse-shell-pod.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/ncat-reverse-shell-pod.yml -------------------------------------------------------------------------------- /manifests/pod-creator.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/pod-creator.yml -------------------------------------------------------------------------------- /manifests/pod-manager.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/pod-manager.yml -------------------------------------------------------------------------------- /manifests/secret-reader.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/secret-reader.yml -------------------------------------------------------------------------------- /manifests/sshserver.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/sshserver.yml -------------------------------------------------------------------------------- /manifests/ssrfdeployment.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/manifests/ssrfdeployment.yml -------------------------------------------------------------------------------- /rokubelet.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/rokubelet.yml -------------------------------------------------------------------------------- /rwkubelet-noauth.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/rwkubelet-noauth.yml -------------------------------------------------------------------------------- /ssh-to-cluster-admin.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssh-to-cluster-admin.yml -------------------------------------------------------------------------------- /ssh-to-create-daemonsets-hard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssh-to-create-daemonsets-hard.yml -------------------------------------------------------------------------------- /ssh-to-create-pods-easy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssh-to-create-pods-easy.yml -------------------------------------------------------------------------------- /ssh-to-create-pods-hard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssh-to-create-pods-hard.yml -------------------------------------------------------------------------------- /ssh-to-create-pods-multi-node.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssh-to-create-pods-multi-node.yml -------------------------------------------------------------------------------- /ssh-to-get-secrets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssh-to-get-secrets.yml -------------------------------------------------------------------------------- /ssrf-to-insecure-port.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/ssrf-to-insecure-port.yml -------------------------------------------------------------------------------- /test.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/test.yml -------------------------------------------------------------------------------- /tiller-noauth.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/tiller-noauth.yml -------------------------------------------------------------------------------- /unauth-api-server.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/unauth-api-server.yml -------------------------------------------------------------------------------- /unauth-kubernetes-dashboard.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raesene/kube_security_lab/HEAD/unauth-kubernetes-dashboard.yml --------------------------------------------------------------------------------