- switch to Bitnami postgresql repo

- Remove chart dependency - Update readme - Added configuration options to control various run priviliges
2021-10-07 13:27:12 +03:00 · 2021-10-07 13:27:12 +03:00 · 1d31540e93
parent 443fcb21c4
commit 1d31540e93
11 changed files with 89 additions and 78 deletions
--- a/kubernetes/.gitignore
+++ b/kubernetes/.gitignore
@ -0,0 +1,2 @@
+metasploit/charts
+metasploit.yaml
--- a/kubernetes/Makefile
+++ b/kubernetes/Makefile
@ -19,6 +19,7 @@ generate-deployment:	##@Generate Generate K8S installation
 	helm template metasploit metasploit > metasploit.yaml   

 install-chart: ##@Install Install Metasploit chart
+	find -- metasploit/charts -prune -type d -empty || helm dep update ./metasploit 
 	helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit

 delete-chart: ##@Install Delete Metasploit chart    
--- a/kubernetes/README.md
+++ b/kubernetes/README.md
@ -1,4 +1,11 @@
-# Running Metasploit Inside Kubernetes
+
+# Running Metasploit Framework Inside Kubernetes
+
+Running metasploit framework inside Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services.
+
+The installation chart also offers to install & run metasploit framework with different priviliges and permissions with respect to Kubernetes node hosting metasploit, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml
+
+# Installation

 1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
 2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
@ -7,6 +14,7 @@
 3. Install the helm chart by running:

    ```sh
+    helm dep update ./metasploit
    helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
    ```

--- a/kubernetes/metasploit/Chart.lock
+++ b/kubernetes/metasploit/Chart.lock
@ -1,6 +1,6 @@
 dependencies:
 - name: postgresql
-  repository: https://cetic.github.io/helm-charts
-  version: 0.2.1
-digest: sha256:6687cfdd86342c5b69a6db7e4be01b406443cf172a77828b4687309530db24ed
-generated: "2021-10-05T12:07:31.052625733+03:00"
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.12.2
+digest: sha256:04694bba08f5e004842d2b515d02ca6dabd796ee22933c131a5c814361df65af
+generated: "2021-10-07T11:21:47.040108617+03:00"
--- a/kubernetes/metasploit/Chart.yaml
+++ b/kubernetes/metasploit/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: metasploit
-description: A Helm chart for deployiong metasploit framework into Kubernetes
+description: A Helm chart for deploying metasploit framework into Kubernetes

 type: application

@ -18,12 +18,12 @@ icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg
 sources:
 - https://github.com/rapid7/metasploit-framework
 maintainers:
- email: gadi_naor@rapid7.com
-  name: Gadi Naor
+- email: msfdev@metasploit.com
+  name: Metasploit Hackers


 dependencies:
  - name: postgresql
-    version: '0.2.1'
-    repository: https://cetic.github.io/helm-charts
+    version: '10.12.2'
+    repository: https://charts.bitnami.com/bitnami
    alias: msfdb
--- a/kubernetes/metasploit/templates/_helpers.tpl
+++ b/kubernetes/metasploit/templates/_helpers.tpl
@ -49,15 +49,4 @@ Selector labels
 {{- define "metasploit.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "metasploit.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "metasploit.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-    {{ default (include "metasploit.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
+{{- end -}}
--- a/kubernetes/metasploit/templates/ms-deployment.yaml
+++ b/kubernetes/metasploit/templates/ms-deployment.yaml
@ -18,11 +18,15 @@ spec:
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
    {{- end }}
-      serviceAccountName: {{ include "metasploit.serviceAccountName" . }}
+      {{- if .Values.priviliges.useServiceAccount }}
+      serviceAccountName: {{ include "metasploit.fullname" . }}
+      {{ end }}
      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}        
          command: ["/bin/bash"]
          tty: true
          stdin: true
@ -33,24 +37,11 @@ spec:
                    name: {{ include "metasploit.fullname" . }}
                    key: database-url
          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+            {{- toYaml .Values.priviliges.securityContext | nindent 12 }}
          ports:
            - containerPort: 4444
              protocol: TCP
              name: metasploit
-            # - name: http
-            #   containerPort: 80
-            #   protocol: TCP
-          # livenessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: metasploit
-          # readinessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: metasploit
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
--- a/kubernetes/metasploit/templates/ms-secret.yaml
+++ b/kubernetes/metasploit/templates/ms-secret.yaml
@ -1,6 +1,6 @@

 {{ $chartName := include "metasploit.fullname" . }}
-{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.username .Values.msfdb.password $chartName }}
+{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.postgresqlUsername .Values.msfdb.postgresqlPassword $chartName }}

 ---
 apiVersion: v1
--- a/kubernetes/metasploit/templates/rbac.yaml
+++ b/kubernetes/metasploit/templates/rbac.yaml
@ -0,0 +1,26 @@
+{{- if .Values.priviliges.useServiceAccount -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "metasploit.fullname" . }}
+  labels:
+    {{- include "metasploit.labels" . | nindent 4 }}
+
+---
+{{- if ne .Values.priviliges.bindClusterRole "" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "metasploit.fullname" . }}
+  labels:
+    {{- include "metasploit.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.priviliges.bindClusterRole }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "metasploit.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}
--- a/kubernetes/metasploit/templates/serviceaccount.yaml
+++ b/kubernetes/metasploit/templates/serviceaccount.yaml
@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "metasploit.serviceAccountName" . }}
-  labels:
-    {{- include "metasploit.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
--- a/kubernetes/metasploit/values.yaml
+++ b/kubernetes/metasploit/values.yaml
@ -13,29 +13,32 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""

-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
+priviliges:
+  # Disable Kubernetes API Server Access - even to the discovery APIs
+  useServiceAccount: false
+  # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
+  #bindClusterRole: cluster-admin 

-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  #
+  # Priviliges related to node hosting metasploit Pod
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  podSecurityContext: {}
+    # fsGroup: 2000
+  # Metasploit container security context
+  securityContext: {}
+    #allowPrivilegeEscalation: false
+    # capabilities:
+    #   add:
+    #   - NET_BIND_SERVICE
+    #   drop:
+    #   - all
+    #runAsNonRoot: true
+    #runAsUser: 1000
+    #runAsGroup: 1000

 service:
  type: ClusterIP
-  port: 80
+  port: 4444

 ingress:
  enabled: false
@ -43,12 +46,12 @@ ingress:
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
-    - host: chart-example.local
+    - host: metasploit.local
      paths: []
  tls: []
-  #  - secretName: chart-example-tls
+  #  - secretName: metasploit-tls
  #    hosts:
-  #      - chart-example.local
+  #      - metasploit.local

 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
@ -68,11 +71,14 @@ tolerations: []

 affinity: {}

+#
+# Postgres configuration (See chart.yaml dependencies)
+#
 msfdb:
-  image:
-    repository: postgres
-    tag: 10-alpine
+  # image:
+  #   repository: postgres
+  #   tag: 10-alpine
  persistence:
    enabled: true
-  username: postgres
-  password: postgres
+  postgresqlUsername: postgres
+  postgresqlPassword: postgres