Containerization and Orchestration

TODO: Some of this belongs in defense

Containers

HackTricks - Docker Breakout / Privilege Escalationopen in new window
dockleopen in new window
- Container image auditor
diveopen in new window
- Explore each layer in Docker image
dockerscanopen in new window
- Docker security analysis/hacking tools
CDKopen in new window
- Make security testing of K8s, Docker, and Containerd easier
amicontainerdopen in new window
- Container introspection tool
deepceopen in new window
- Docker Enumeration, Escalation of Privileges and Container Escapes
grypeopen in new window
- Vulnerability scanner for container images and filesystems
Distroless Container Imagesopen in new window
- Very, very minimal container OS
Docker API RCE.pyopen in new window
- Python script that uses the Docker API to get a shell on a remote host

kind (Kubernetes in Docker)open in new window
- Spin up a Kubernetes cluster within Docker
- Makes lab creation way simpler
kubectl Cheat Sheetopen in new window
audit2rbacopen in new window
- Autogenerate RBAC based on audit logs
peiratesopen in new window
- Kubernetes attack tool
- Can be manual or automated
kyvernoopen in new window
- Policy management
Open Policy Agentopen in new window
- Policy management via the rego language
kube2iamopen in new window
- AWS IAM cred provider for containers (basically provides better segmentation)
kiamopen in new window
- Integrate K8s with AWS IAM
k8s-metadata-proxyopen in new window
- Proxy for serving concealed metadata to containers in GCE VM
kube-benchopen in new window
- Audit K8s compliance with CIS benchmarks
kube-hunteropen in new window
- Hunt for security issues in clusters
rbac-policeopen in new window
- Evaluate RBAC perms of SAs, nodes, and pods via rego policies
popeyeopen in new window
- Cluster resource/config scanner
- Checks what's running, not what's on disk