diff --git a/kubernetes/.gitignore b/kubernetes/.gitignore new file mode 100644 index 0000000000..9fbcbf93e4 --- /dev/null +++ b/kubernetes/.gitignore @@ -0,0 +1,2 @@ +metasploit/charts +metasploit.yaml \ No newline at end of file diff --git a/kubernetes/Makefile b/kubernetes/Makefile index 430961f760..4bc7614bb5 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -19,6 +19,7 @@ generate-deployment: ##@Generate Generate K8S installation helm template metasploit metasploit > metasploit.yaml install-chart: ##@Install Install Metasploit chart + find -- metasploit/charts -prune -type d -empty || helm dep update ./metasploit helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit delete-chart: ##@Install Delete Metasploit chart diff --git a/kubernetes/README.md b/kubernetes/README.md index 19ab943e54..f76ea7dc6c 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -1,4 +1,11 @@ -# Running Metasploit Inside Kubernetes + +# Running Metasploit Framework Inside Kubernetes + +Running metasploit framework inside Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services. + +The installation chart also offers to install & run metasploit framework with different priviliges and permissions with respect to Kubernetes node hosting metasploit, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml + +# Installation 1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/) 2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) @@ -7,6 +14,7 @@ 3. Install the helm chart by running: ```sh + helm dep update ./metasploit helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit ``` diff --git a/kubernetes/metasploit/Chart.lock b/kubernetes/metasploit/Chart.lock index 0d0a5970d7..06eac081d0 100644 --- a/kubernetes/metasploit/Chart.lock +++ b/kubernetes/metasploit/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: postgresql - repository: https://cetic.github.io/helm-charts - version: 0.2.1 -digest: sha256:6687cfdd86342c5b69a6db7e4be01b406443cf172a77828b4687309530db24ed -generated: "2021-10-05T12:07:31.052625733+03:00" + repository: https://charts.bitnami.com/bitnami + version: 10.12.2 +digest: sha256:04694bba08f5e004842d2b515d02ca6dabd796ee22933c131a5c814361df65af +generated: "2021-10-07T11:21:47.040108617+03:00" diff --git a/kubernetes/metasploit/Chart.yaml b/kubernetes/metasploit/Chart.yaml index 8a50b58821..4d9e4a10c9 100644 --- a/kubernetes/metasploit/Chart.yaml +++ b/kubernetes/metasploit/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: metasploit -description: A Helm chart for deployiong metasploit framework into Kubernetes +description: A Helm chart for deploying metasploit framework into Kubernetes type: application @@ -18,12 +18,12 @@ icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg sources: - https://github.com/rapid7/metasploit-framework maintainers: -- email: gadi_naor@rapid7.com - name: Gadi Naor +- email: msfdev@metasploit.com + name: Metasploit Hackers dependencies: - name: postgresql - version: '0.2.1' - repository: https://cetic.github.io/helm-charts + version: '10.12.2' + repository: https://charts.bitnami.com/bitnami alias: msfdb \ No newline at end of file diff --git a/kubernetes/metasploit/templates/_helpers.tpl b/kubernetes/metasploit/templates/_helpers.tpl index b733d1e21c..3f64b4111c 100644 --- a/kubernetes/metasploit/templates/_helpers.tpl +++ b/kubernetes/metasploit/templates/_helpers.tpl @@ -49,15 +49,4 @@ Selector labels {{- define "metasploit.selectorLabels" -}} app.kubernetes.io/name: {{ include "metasploit.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "metasploit.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "metasploit.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/metasploit/templates/ms-deployment.yaml b/kubernetes/metasploit/templates/ms-deployment.yaml index 6c08f78464..4640591a4f 100644 --- a/kubernetes/metasploit/templates/ms-deployment.yaml +++ b/kubernetes/metasploit/templates/ms-deployment.yaml @@ -18,11 +18,15 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "metasploit.serviceAccountName" . }} + {{- if .Values.priviliges.useServiceAccount }} + serviceAccountName: {{ include "metasploit.fullname" . }} + {{ end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/bin/bash"] tty: true stdin: true @@ -33,24 +37,11 @@ spec: name: {{ include "metasploit.fullname" . }} key: database-url securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- toYaml .Values.priviliges.securityContext | nindent 12 }} ports: - containerPort: 4444 protocol: TCP name: metasploit - # - name: http - # containerPort: 80 - # protocol: TCP - # livenessProbe: - # httpGet: - # path: / - # port: metasploit - # readinessProbe: - # httpGet: - # path: / - # port: metasploit resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: diff --git a/kubernetes/metasploit/templates/ms-secret.yaml b/kubernetes/metasploit/templates/ms-secret.yaml index f60f23e3b8..ece512da89 100644 --- a/kubernetes/metasploit/templates/ms-secret.yaml +++ b/kubernetes/metasploit/templates/ms-secret.yaml @@ -1,6 +1,6 @@ {{ $chartName := include "metasploit.fullname" . }} -{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.username .Values.msfdb.password $chartName }} +{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.postgresqlUsername .Values.msfdb.postgresqlPassword $chartName }} --- apiVersion: v1 diff --git a/kubernetes/metasploit/templates/rbac.yaml b/kubernetes/metasploit/templates/rbac.yaml new file mode 100644 index 0000000000..8cd70064a0 --- /dev/null +++ b/kubernetes/metasploit/templates/rbac.yaml @@ -0,0 +1,26 @@ +{{- if .Values.priviliges.useServiceAccount -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "metasploit.fullname" . }} + labels: + {{- include "metasploit.labels" . | nindent 4 }} + +--- +{{- if ne .Values.priviliges.bindClusterRole "" -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "metasploit.fullname" . }} + labels: + {{- include "metasploit.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.priviliges.bindClusterRole }} +subjects: + - kind: ServiceAccount + name: {{ include "metasploit.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/metasploit/templates/serviceaccount.yaml b/kubernetes/metasploit/templates/serviceaccount.yaml deleted file mode 100644 index 72b4da1d81..0000000000 --- a/kubernetes/metasploit/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "metasploit.serviceAccountName" . }} - labels: - {{- include "metasploit.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/kubernetes/metasploit/values.yaml b/kubernetes/metasploit/values.yaml index 02f9584d3a..1231e7a0b7 100644 --- a/kubernetes/metasploit/values.yaml +++ b/kubernetes/metasploit/values.yaml @@ -13,29 +13,32 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: +priviliges: + # Disable Kubernetes API Server Access - even to the discovery APIs + useServiceAccount: false + # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective) + #bindClusterRole: cluster-admin -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + # + # Priviliges related to node hosting metasploit Pod + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + podSecurityContext: {} + # fsGroup: 2000 + # Metasploit container security context + securityContext: {} + #allowPrivilegeEscalation: false + # capabilities: + # add: + # - NET_BIND_SERVICE + # drop: + # - all + #runAsNonRoot: true + #runAsUser: 1000 + #runAsGroup: 1000 service: type: ClusterIP - port: 80 + port: 4444 ingress: enabled: false @@ -43,12 +46,12 @@ ingress: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - - host: chart-example.local + - host: metasploit.local paths: [] tls: [] - # - secretName: chart-example-tls + # - secretName: metasploit-tls # hosts: - # - chart-example.local + # - metasploit.local resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -68,11 +71,14 @@ tolerations: [] affinity: {} +# +# Postgres configuration (See chart.yaml dependencies) +# msfdb: - image: - repository: postgres - tag: 10-alpine + # image: + # repository: postgres + # tag: 10-alpine persistence: enabled: true - username: postgres - password: postgres + postgresqlUsername: postgres + postgresqlPassword: postgres