- switch to Bitnami postgresql repo

- Remove chart dependency
- Update readme
- Added configuration options to control various run priviliges

kubernetes/.gitignore

@@ -0,0 +1,2 @@
+metasploit/charts
+metasploit.yaml

kubernetes/Makefile

@@ -19,6 +19,7 @@ generate-deployment:	##@Generate Generate K8S installation
 	helm template metasploit metasploit > metasploit.yaml   
 
 install-chart: ##@Install Install Metasploit chart
+	find -- metasploit/charts -prune -type d -empty || helm dep update ./metasploit 
 	helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
 
 delete-chart: ##@Install Delete Metasploit chart    

kubernetes/README.md

@@ -1,4 +1,11 @@
-# Running Metasploit Inside Kubernetes
+
+# Running Metasploit Framework Inside Kubernetes
+
+Running metasploit framework inside Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services.
+
+The installation chart also offers to install & run metasploit framework with different priviliges and permissions with respect to Kubernetes node hosting metasploit, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml
+
+# Installation
 
 1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
 2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
@@ -7,6 +14,7 @@
 3. Install the helm chart by running:
 
     ```sh
+    helm dep update ./metasploit
     helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
     ```
 

kubernetes/metasploit/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: postgresql
-  repository: https://cetic.github.io/helm-charts
+  repository: https://charts.bitnami.com/bitnami
-  version: 0.2.1
+  version: 10.12.2
-digest: sha256:6687cfdd86342c5b69a6db7e4be01b406443cf172a77828b4687309530db24ed
+digest: sha256:04694bba08f5e004842d2b515d02ca6dabd796ee22933c131a5c814361df65af
-generated: "2021-10-05T12:07:31.052625733+03:00"
+generated: "2021-10-07T11:21:47.040108617+03:00"

kubernetes/metasploit/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: metasploit
-description: A Helm chart for deployiong metasploit framework into Kubernetes
+description: A Helm chart for deploying metasploit framework into Kubernetes
 
 type: application
 
@@ -18,12 +18,12 @@ icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg
 sources:
 - https://github.com/rapid7/metasploit-framework
 maintainers:
-- email: gadi_naor@rapid7.com
+- email: msfdev@metasploit.com
-  name: Gadi Naor
+  name: Metasploit Hackers
 
 
 dependencies:
   - name: postgresql
-    version: '0.2.1'
+    version: '10.12.2'
-    repository: https://cetic.github.io/helm-charts
+    repository: https://charts.bitnami.com/bitnami
     alias: msfdb

kubernetes/metasploit/templates/_helpers.tpl

@@ -50,14 +50,3 @@ Selector labels
 app.kubernetes.io/name: {{ include "metasploit.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "metasploit.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
-    {{ default (include "metasploit.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}

kubernetes/metasploit/templates/ms-deployment.yaml

@@ -18,11 +18,15 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ include "metasploit.serviceAccountName" . }}
+      {{- if .Values.priviliges.useServiceAccount }}
+      serviceAccountName: {{ include "metasploit.fullname" . }}
+      {{ end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}        
           command: ["/bin/bash"]
           tty: true
           stdin: true
@@ -33,24 +37,11 @@ spec:
                     name: {{ include "metasploit.fullname" . }}
                     key: database-url
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.priviliges.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - containerPort: 4444
               protocol: TCP
               name: metasploit
-            # - name: http
-            #   containerPort: 80
-            #   protocol: TCP
-          # livenessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: metasploit
-          # readinessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: metasploit
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:

kubernetes/metasploit/templates/ms-secret.yaml

@@ -1,6 +1,6 @@
 
 {{ $chartName := include "metasploit.fullname" . }}
-{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.username .Values.msfdb.password $chartName }}
+{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.postgresqlUsername .Values.msfdb.postgresqlPassword $chartName }}
 
 ---
 apiVersion: v1

kubernetes/metasploit/templates/rbac.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.priviliges.useServiceAccount -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "metasploit.fullname" . }}
+  labels:
+    {{- include "metasploit.labels" . | nindent 4 }}
+
+---
+{{- if ne .Values.priviliges.bindClusterRole "" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "metasploit.fullname" . }}
+  labels:
+    {{- include "metasploit.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.priviliges.bindClusterRole }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "metasploit.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}

kubernetes/metasploit/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "metasploit.serviceAccountName" . }}
-  labels:
-    {{- include "metasploit.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}

kubernetes/metasploit/values.yaml

@@ -13,29 +13,32 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-serviceAccount:
+priviliges:
-  # Specifies whether a service account should be created
+  # Disable Kubernetes API Server Access - even to the discovery APIs
-  create: true
+  useServiceAccount: false
-  # Annotations to add to the service account
+  # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
-  annotations: {}
+  #bindClusterRole: cluster-admin 
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
 
-podSecurityContext: {}
+  #
+  # Priviliges related to node hosting metasploit Pod
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  podSecurityContext: {}
     # fsGroup: 2000
-
+  # Metasploit container security context
-securityContext: {}
+  securityContext: {}
+    #allowPrivilegeEscalation: false
     # capabilities:
+    #   add:
+    #   - NET_BIND_SERVICE
     #   drop:
-  #   - ALL
+    #   - all
-  # readOnlyRootFilesystem: true
+    #runAsNonRoot: true
-  # runAsNonRoot: true
+    #runAsUser: 1000
-  # runAsUser: 1000
+    #runAsGroup: 1000
 
 service:
   type: ClusterIP
-  port: 80
+  port: 4444
 
 ingress:
   enabled: false
@@ -43,12 +46,12 @@ ingress:
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
-    - host: chart-example.local
+    - host: metasploit.local
       paths: []
   tls: []
-  #  - secretName: chart-example-tls
+  #  - secretName: metasploit-tls
   #    hosts:
-  #      - chart-example.local
+  #      - metasploit.local
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -68,11 +71,14 @@ tolerations: []
 
 affinity: {}
 
+#
+# Postgres configuration (See chart.yaml dependencies)
+#
 msfdb:
-  image:
+  # image:
-    repository: postgres
+  #   repository: postgres
-    tag: 10-alpine
+  #   tag: 10-alpine
   persistence:
     enabled: true
-  username: postgres
+  postgresqlUsername: postgres
-  password: postgres
+  postgresqlPassword: postgres