Yellow - Containers
Container Management
CLI Tools
Web Tools
Moby - a collaborative project for the container ecosystem to assemble container-based system.
Traefik - open source reverse proxy/load balancer provides easier integration with Docker and Let's encrypt.
kong - The Cloud-Native API Gateway.
rancher - complete container management platform.
Logging and Monitoring
Container logging and analysis revolves around 3 areas:
Container Service Logs - Service daemons record key events
Daemon events - Errors, status, and general events
Remote calls to APIs
Creation/Modification/Deletion of containers
Host operating system/platform logs
Amazon EKS offers logging events to Cloudwatch
Service logs
Logging Methods
Persistent data volume or bind mount - Log data is sent to a persistent location outside of the container. Often with syslog directly to the host OS
Application inside container - If the application itself has logging capabilities, they can be logged to locations outside of the container
Monitoring container (Sidecar) - A container for collecting logs from other containers
Daemon log drivers - Captures stdout and stderr of containers
Container Defense
Tools
Security Auditing and Vulnerability Scanners
Clair - Vulnerability Static Analysis for Containers
WhaleScan - Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
Trivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
SecretScanner - Find secrets and passwords in container images and file systems
sandbox-attacksurface-analysis-tools - Set of tools to analyze Windows sandboxes for exposed attack surface.
DFIR
sysdig-inspect - A powerful opensource interface for container troubleshooting and security investigation
Container Pen Testing
Container Escapes
Container Breakout - PTFM: Container Breakout - pg. 145
Tools
kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
Docker
Docker - A Docker container is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
Operator Handbook: Docker Commands - pg. 61
Offensive Testing
deepce - Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
Operator Handbook: Docker Exploit- pg. 64
Defense and Hardening
docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
Anchore - A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
Misc
Whaler - Program to reverse Docker images into Docker files
Tools
Container Management
KubeCTL Kubernetes command line tool
Operator Handbook: KubeCTL- pg. 111
kubebox - Terminal and Web console for Kubernetes
kubernetes-the-hard-way - bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
kubernetes-the-easy-way - bootstrap Kubernetes the easy way on Google Cloud Platform. No scripts.
Hubble is a Network, Service & Security Observability for Kubernetes using eBPF.
Offensive tools
peirates - a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.
Kubestroyer - Kubestroyer aims to exploit Kubernetes clusters misconfigurations and be the swiss army knife of your Kubernetes pentests
Security auditing
kubesec - Security risk analysis for Kubernetes resources
netassert - This is a security testing framework for fast, safe iteration on firewall, routing, and NACL rules for Kubernetes (Network Policies, services) and non-containerised hosts (cloud provider instances, VMs, bare metal).
KubiScan - A tool to scan Kubernetes cluster for risky permissions
rbac-police - Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego
Resources
Basics and Reference
kubernetes-production-best-practices - checklists with best-practices for production-ready Kubernetes.
Operator Handbook: Kubernetes - pg. 107
Security Auditing and Hardening
k8s-security - kubernetes security notes and best practices.
Pen Testing
Operator Handbook: Kubernetes Exploit - pg. 108
Training
kubernetes-simulator - Kubernetes Security Training Platform - Focusing on security mitigation
https://madhuakula.com/kubernetes-goat/ - Interactive Kubernetes Security Learning Playground
Last updated