kaput
is the Kubernetes Attack and Policy Underminer Tool—
think of it as a toolbox exploiting known weaknesses and vulnerabilities in the Kubernetes control and data plane. In a nutshell, kaput
mainly coordinates a collection of existing tools to probe Kubernetes clusters and respectively creates a report for the cluster admin to act on.
I plan to use the following tools to gather candidate attack paths:
- aquasecurity/kube-hunter
- aquasecurity/kube-bench
- banyanops/collector
- coreos/clair/
- docker/docker-bench-security
- nicholasjackson/cnitch
- OpenSCAP
In addition to the above tools, kaput
will (at some point in time) implement some simple attacks itself, including but not limited to:
- some of the low-hanging fruits demonstrated in Hacking & Hardening Kubernetes By Example
- pod-level: check if cluster is RBAC enabled, check if default SA is used and/or locked down
- service-level: check if it pod can see and communicate with other services in same/different namespaces (
NetworkPolicy
check) - node-level: poisoning of a node via pod running on the node
- system-level: check if one can get to stuff into the
kube-system
namespace
Something like:
$ kaput --cluster=https://192.168.64.14:8443 --profile=generic,po,svc
Summary: found 12 potential vulnerabilities of which 3 are exploitable
Control plane:
...