-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathwebadmin.yaml
75 lines (73 loc) · 1.81 KB
/
webadmin.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Deployment of the vulnerable "webadmin" application.
# ------
# Create a service account for the webadmin service
apiVersion: v1
kind: ServiceAccount
metadata:
name: webadmin
---
# Create a deployment for webadmin to use the esrvice account
apiVersion: apps/v1
kind: Deployment
metadata:
name: webadmin
spec:
replicas: 1
selector:
matchLabels:
app: webadmin
template:
metadata:
labels:
app: webadmin
spec:
serviceAccountName: webadmin
shareProcessNamespace: true # (Not used in this demo)
securityContext:
runAsUser: 999 # Must be non-0 if you use the PSP
fsGroup: 999 # As of 1.15 (I think) you need this set to access the servicetoken for the pod
containers:
- name: webadmin
image: gcr.io/shmoocon-talk-hacking/webadmin:latest # Change me
imagePullPolicy: Always
volumeMounts: # Not used in this demo
- mountPath: /etc/webadmin/tls
name: secret-volume
mountPropagation:
volumes:
- name: secret-volume
secret:
secretName: webadmin-secret
optional: true
---
# VULNERABILITY
# Applies the allow_pod_read policy which allows the service
# account to do whatever it wants in the affected namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: allow_pod_read
#namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
# Bind the above role to the namespace you want (NOTE this assumes you're doing
# `kubectl apply -f -n secure`)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow_pod_read_bind
#namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: allow_pod_read
subjects:
- kind: ServiceAccount
name: webadmin
#namespace: default