3rdparty lists
- neargle/my-re0-k8s-security - [WIP] 整理过去的分享,从零开始的Kubernetes攻防 - 2.6K star
- wsargent/docker-cheat-sheet - Docker Cheat Sheet
- kabachook/k8s-security - Kubernetes security notes and best practices
- mhausenblas/k8s-sec - Kubernetes Security from Image Hygiene to Network Policies
- brant-ruan/awesome-cloud-native-security - awesome resources about cloud native security
Post penetration
- Esonhugh/k8spider - Powerful+Fast+Low Privilege Kubernetes service discovery tools via kubernetes DNS service. Currently supported service ip-port BruteForcing / AXFR Domain Transfer Dump / Coredns WildCard Dump / Pod Verified IP discovery
- DataDog/KubeHound - A Kubernetes attack graph tool allowing automated calculation of attack paths between assets in a cluster
- Metarget/kootkit - k0otkit is a universal post-penetration technique which could be used in penetrations against Kubernetes clusters - 用DaemonSet持久化,用Secret存储payload,用perl + memfd_create实现无文件,修改kube-proxy容器实现隐藏
- SPuerBRead/shovel - Docker容器逃逸工具(Docker Escape Tools)
- cdk-team/CDK - CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily - 目前最全面的容器工具和漏洞总结,1.8K star
Uncategorized
- earthquake/chw00t - Unices chroot breaking tool - 2019停更
- twistlock/whoc - A container image that exfiltrates the underlying container runtime to a remote server - 构建PIE程序替换ld,并在容器启动时候读取/proc/self/exe,最后还原ld并通过curl将runc程序发出,这样就可以获取runc的版本了
- ropnop/pentest_charts - Some helpful Helm Charts for pentesters
- kubesphere - The container platform tailored for Kubernetes multi-cloud, datacenter, and edge management - 7K star,开发插件非常多
- fanux/sealos - 一条命令安装kubernetes,超全版本,支持国产化,生产环境中稳如老狗,99年证书,0依赖,去haproxy keepalived,v1.20支持containerd - 3.2K star
- BishopFox/badPods - A collection of manifests that will create pods with elevated privileges - 常见k8s提权面,实战基本不会遇到
- talos-systems/talos - a modern OS for Kubernetes
- StefanScherer/packer-windows - Windows Templates for Packer: Win10, Server 2016, 1709, 1803, 1809, 2019, 1903, 1909, 2004, Insider with Docker
- inguardians/peirates - Kubernetes Penetration Testing tool
Exploits
- quarkslab/kdigger - kdigger is a context discovery tool for Kubernetes penetration testing
- cyberark/KubiScan - A tool to scan Kubernetes cluster for risky permissions
- cyberark/kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments - 基于merlin,加了5个容器逃逸的模块,代码在 data/modules/go 目录
- danielsagi/kube-dnsspoof - A POC for DNS spoofing in kubernetes clusters. Runs with minimum capabilities, on default installations of kuberentes
- serain/kubelet-anon-rce - Executes commands in a container on a kubelet endpoint that allows anonymous authentication (default)
- initstring/lxd_root - Linux privilege escalation via LXD - 脚本兼容性有问题,Ubuntu 18.04 不成功
- Container Escape
Hardening
- bytedance/vArmor - vArmor is a cloud native container sandbox based on LSM. It includes multiple built-in protection rules that are ready to use out of the box
- kyverno - Kubernetes Native Policy Management
- DataDog/security-agent-policies/runtime/default.policy - datadog agent默认规则
- edgelesssys/constellation - Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing
- neuvector/neuvector - NeuVector Full Lifecycle Container Security Platform delivers the only cloud-native security with uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall
- kata-containers/kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs - 安全容器,1.6K star
- google/gvisor - Application Kernel for Containers - 安全容器,11.8K star
- open-policy-agent/opa - An open source, general-purpose policy engine - 5.7K star
- open-policy-agent/gatekeeper - Policy Controller for Kubernetes - 2.1K star
- datreeio/datree - a CLI tool to ensure K8s manifests and Helm charts follow best practices as well as your organization’s policies
- docker/docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production
- aquasecurity/kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
- docker-slim - Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too
Static analysis
- P3GLEG/WhaleTail - Program to reverse Docker images into Dockerfiles
- GoogleContainerTools/container-diff - Diff your Docker containers
- wagoodman/dive - A tool for exploring each layer in a docker image
- coreos/clair - Vulnerability Static Analysis for Containers
- aquasecurity/trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
- nccgroup/whalescan - Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
Auditing & Monitoring
- paralus/paralus - All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs
- kubesphere/kubeeye - KubeEye aims to find various problems on Kubernetes, such as application misconfiguration, unhealthy cluster components and node problems
- twistlock/sa-hunter - Correlates serviceaccounts and pods to the permissions granted to them via rolebindings and clusterrolesbindings
- stackrox - The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment
- chaitin/veinmind-tools - 长亭科技自研,基于 veinmind-sdk 打造的容器安全工具集 - 内置了不少规则,看着还可以
- armosec/kubescape - the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA
- brompwnie/botb - A container analysis and exploitation tool for pentesters and engineers
- jessfraz/amicontained - Container introspection tool. Find out what container runtime is being used as well as features available - 在容器内枚举权限的工具,如 seccomp/capability/namespace
- projectcalico/calico - Cloud native networking and network security
- Shopify/kubeaudit - helps you audit your Kubernetes clusters against common security controls
- aquasecurity/trivy - A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI - 18K star
- sysdiglabs/kube-psp-advisor - Help building an adaptive and fine-grained pod security policy
- aquasecurity/kube-hunter - Hunt for security weaknesses in Kubernetes clusters - 3.3K star
- nccgroup/kube-auto-analyzer - Kubernetes Auto Analyzer - 停更了
- cr0hn/dockerscan - Docker security analysis & hacking tools
Network
Dockerfile collections
- vimagick/dockerfiles - A collection of delicious docker recipes
- astj/docker-centos5-vault - A drop-in replacement of centos:5.11 with modified yum repository spec with vault.centos.org
- 一文深入理解 Kubernetes(腾讯技术工程)
- Container escape in 2021 - 有CAP_ADMIN权限时的几种逃逸方法
- NIST Special Publication 800-190 - Application Container Security Guide - 2017.09
- 国内首个云上容器ATT&CK攻防矩阵发布,阿里云助力企业容器化安全落地
- BH USA-20 Escaping Virtualized Containers
- BH USA-20 Defending containers like a ninja
- Kubernetes: Master Post - 2019年以及之前的问题汇总
- Kubernetes and HostPath, a Love-Hate Relationship - k8s路径挂载相关的历史漏洞