├── .gitignore ├── DEMOFLOW.md ├── README.md ├── demo_yamls ├── etcdclient.yaml ├── nonroot_nonpriv.yaml ├── nonroot_nonpriv_restricted.yaml ├── nonroot_priv.yaml ├── root_pod.yaml └── root_system.yaml ├── images ├── .gitignore ├── .zsh_history ├── package.json ├── rce_image │ ├── Dockerfile │ ├── README.md │ ├── app.py │ ├── package.json │ └── requirements.txt └── snyky │ ├── .zsh_history │ ├── ConMachi │ ├── Dockerfile │ ├── Dockerfile-old │ ├── README.md │ ├── gotty_config │ └── krew_plugin_list.txt ├── mitigations ├── allow-web-ingress.yaml ├── deny-all.yaml ├── sa-token.yaml └── webadmin-netpol.yaml ├── setup ├── calico.yaml ├── cluster_roles.yaml ├── default_ns_role.yaml ├── ingress_ns_role.yaml ├── kind_ingress.yaml ├── privileged_psp.yaml ├── restricted_psp.yaml ├── role_bindings.yaml ├── secure_ns_role.yaml ├── setup.sh ├── webadmin_allow_role_to_see_endpoints.yaml ├── webadmin_deployment.yaml ├── webadmin_svc_ingress.yaml └── webadmin_user.yaml ├── setup_kubeconfig.sh └── workshop ├── 01-setup.md ├── 02a-exploit.md ├── 02b-exploit.md ├── 02c-exploit.md ├── 02d-exploit.md ├── 02e-exploit.md ├── 02f-exploit.md ├── 02g-exploit.md ├── 03-mitigations.md ├── 04-next-steps.md ├── README.md └── media ├── 01-docker-desktop-prefs.png ├── 02-01-01-hostname.png ├── 02-01-02-env.png ├── 02-01-03-ip.png ├── 02-01-Checkpoint-1.png ├── 02-01-Timeline-1.png ├── 02-02-01-cattoken.png ├── 02-02-01-procenv.png ├── 02-02-02-curl.png ├── 02-02-03-apicall.png ├── 02-02-Checkpoint-1.png ├── 02-02-Timeline-1.png ├── 02-03-Checkpoint-1.png ├── 02-03-Timeline-1.png ├── 02-04-Checkpoint-1.png ├── 02-04-Timeline-1.png ├── 02-05-Checkpoint-1.png ├── 02-05-Timeline-1.png ├── 02-06-03-sameapp.png ├── 02-06-04-token.png ├── 02-06-Checkpoint-1.png ├── 02-06-Timeline-1.png ├── 02-07-08-token.png ├── 02-07-Checkpoint-1.png ├── 02-07-Timeline-1.png ├── 03-image-scan.png ├── 03-k8s-scan.png ├── 03-sast-advice.png ├── 03-sast-rce.png ├── gameover.gif └── the-simpsons-mr-burns.gif /.gitignore: -------------------------------------------------------------------------------- 1 | **/.dccache 2 | demokubeconfig 3 | -------------------------------------------------------------------------------- /DEMOFLOW.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/DEMOFLOW.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/README.md -------------------------------------------------------------------------------- /demo_yamls/etcdclient.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/demo_yamls/etcdclient.yaml -------------------------------------------------------------------------------- /demo_yamls/nonroot_nonpriv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/demo_yamls/nonroot_nonpriv.yaml -------------------------------------------------------------------------------- /demo_yamls/nonroot_nonpriv_restricted.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/demo_yamls/nonroot_nonpriv_restricted.yaml -------------------------------------------------------------------------------- /demo_yamls/nonroot_priv.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/demo_yamls/nonroot_priv.yaml -------------------------------------------------------------------------------- /demo_yamls/root_pod.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/demo_yamls/root_pod.yaml -------------------------------------------------------------------------------- /demo_yamls/root_system.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/demo_yamls/root_system.yaml -------------------------------------------------------------------------------- /images/.gitignore: -------------------------------------------------------------------------------- 1 | istio- 2 | -------------------------------------------------------------------------------- /images/.zsh_history: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/.zsh_history -------------------------------------------------------------------------------- /images/package.json: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /images/rce_image/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/rce_image/Dockerfile -------------------------------------------------------------------------------- /images/rce_image/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/rce_image/README.md -------------------------------------------------------------------------------- /images/rce_image/app.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/rce_image/app.py -------------------------------------------------------------------------------- /images/rce_image/package.json: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /images/rce_image/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask 2 | -------------------------------------------------------------------------------- /images/snyky/.zsh_history: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/snyky/.zsh_history -------------------------------------------------------------------------------- /images/snyky/ConMachi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/snyky/ConMachi -------------------------------------------------------------------------------- /images/snyky/Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/snyky/Dockerfile -------------------------------------------------------------------------------- /images/snyky/Dockerfile-old: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/snyky/Dockerfile-old -------------------------------------------------------------------------------- /images/snyky/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/snyky/README.md -------------------------------------------------------------------------------- /images/snyky/gotty_config: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/images/snyky/gotty_config -------------------------------------------------------------------------------- /images/snyky/krew_plugin_list.txt: -------------------------------------------------------------------------------- 1 | who-can 2 | access-matrix 3 | net-forward 4 | -------------------------------------------------------------------------------- /mitigations/allow-web-ingress.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/mitigations/allow-web-ingress.yaml -------------------------------------------------------------------------------- /mitigations/deny-all.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/mitigations/deny-all.yaml -------------------------------------------------------------------------------- /mitigations/sa-token.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/mitigations/sa-token.yaml -------------------------------------------------------------------------------- /mitigations/webadmin-netpol.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/mitigations/webadmin-netpol.yaml -------------------------------------------------------------------------------- /setup/calico.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/calico.yaml -------------------------------------------------------------------------------- /setup/cluster_roles.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/cluster_roles.yaml -------------------------------------------------------------------------------- /setup/default_ns_role.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/default_ns_role.yaml -------------------------------------------------------------------------------- /setup/ingress_ns_role.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/ingress_ns_role.yaml -------------------------------------------------------------------------------- /setup/kind_ingress.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/kind_ingress.yaml -------------------------------------------------------------------------------- /setup/privileged_psp.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/privileged_psp.yaml -------------------------------------------------------------------------------- /setup/restricted_psp.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/restricted_psp.yaml -------------------------------------------------------------------------------- /setup/role_bindings.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/role_bindings.yaml -------------------------------------------------------------------------------- /setup/secure_ns_role.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/secure_ns_role.yaml -------------------------------------------------------------------------------- /setup/setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/setup.sh -------------------------------------------------------------------------------- /setup/webadmin_allow_role_to_see_endpoints.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/webadmin_allow_role_to_see_endpoints.yaml -------------------------------------------------------------------------------- /setup/webadmin_deployment.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/webadmin_deployment.yaml -------------------------------------------------------------------------------- /setup/webadmin_svc_ingress.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/webadmin_svc_ingress.yaml -------------------------------------------------------------------------------- /setup/webadmin_user.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup/webadmin_user.yaml -------------------------------------------------------------------------------- /setup_kubeconfig.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/setup_kubeconfig.sh -------------------------------------------------------------------------------- /workshop/01-setup.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/01-setup.md -------------------------------------------------------------------------------- /workshop/02a-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02a-exploit.md -------------------------------------------------------------------------------- /workshop/02b-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02b-exploit.md -------------------------------------------------------------------------------- /workshop/02c-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02c-exploit.md -------------------------------------------------------------------------------- /workshop/02d-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02d-exploit.md -------------------------------------------------------------------------------- /workshop/02e-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02e-exploit.md -------------------------------------------------------------------------------- /workshop/02f-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02f-exploit.md -------------------------------------------------------------------------------- /workshop/02g-exploit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/02g-exploit.md -------------------------------------------------------------------------------- /workshop/03-mitigations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/03-mitigations.md -------------------------------------------------------------------------------- /workshop/04-next-steps.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/04-next-steps.md -------------------------------------------------------------------------------- /workshop/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/README.md -------------------------------------------------------------------------------- /workshop/media/01-docker-desktop-prefs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/01-docker-desktop-prefs.png -------------------------------------------------------------------------------- /workshop/media/02-01-01-hostname.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-01-01-hostname.png -------------------------------------------------------------------------------- /workshop/media/02-01-02-env.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-01-02-env.png -------------------------------------------------------------------------------- /workshop/media/02-01-03-ip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-01-03-ip.png -------------------------------------------------------------------------------- /workshop/media/02-01-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-01-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-01-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-01-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/02-02-01-cattoken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-02-01-cattoken.png -------------------------------------------------------------------------------- /workshop/media/02-02-01-procenv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-02-01-procenv.png -------------------------------------------------------------------------------- /workshop/media/02-02-02-curl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-02-02-curl.png -------------------------------------------------------------------------------- /workshop/media/02-02-03-apicall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-02-03-apicall.png -------------------------------------------------------------------------------- /workshop/media/02-02-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-02-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-02-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-02-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/02-03-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-03-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-03-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-03-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/02-04-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-04-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-04-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-04-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/02-05-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-05-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-05-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-05-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/02-06-03-sameapp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-06-03-sameapp.png -------------------------------------------------------------------------------- /workshop/media/02-06-04-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-06-04-token.png -------------------------------------------------------------------------------- /workshop/media/02-06-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-06-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-06-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-06-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/02-07-08-token.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-07-08-token.png -------------------------------------------------------------------------------- /workshop/media/02-07-Checkpoint-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-07-Checkpoint-1.png -------------------------------------------------------------------------------- /workshop/media/02-07-Timeline-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/02-07-Timeline-1.png -------------------------------------------------------------------------------- /workshop/media/03-image-scan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/03-image-scan.png -------------------------------------------------------------------------------- /workshop/media/03-k8s-scan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/03-k8s-scan.png -------------------------------------------------------------------------------- /workshop/media/03-sast-advice.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/03-sast-advice.png -------------------------------------------------------------------------------- /workshop/media/03-sast-rce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/03-sast-rce.png -------------------------------------------------------------------------------- /workshop/media/gameover.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/gameover.gif -------------------------------------------------------------------------------- /workshop/media/the-simpsons-mr-burns.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk-labs/kubernetes-goof/HEAD/workshop/media/the-simpsons-mr-burns.gif --------------------------------------------------------------------------------