- switch to Bitnami postgresql repo
- Remove chart dependency - Update readme - Added configuration options to control various run priviliges
This commit is contained in:
parent
443fcb21c4
commit
1d31540e93
|
@ -0,0 +1,2 @@
|
||||||
|
metasploit/charts
|
||||||
|
metasploit.yaml
|
|
@ -19,6 +19,7 @@ generate-deployment: ##@Generate Generate K8S installation
|
||||||
helm template metasploit metasploit > metasploit.yaml
|
helm template metasploit metasploit > metasploit.yaml
|
||||||
|
|
||||||
install-chart: ##@Install Install Metasploit chart
|
install-chart: ##@Install Install Metasploit chart
|
||||||
|
find -- metasploit/charts -prune -type d -empty || helm dep update ./metasploit
|
||||||
helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
|
helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
|
||||||
|
|
||||||
delete-chart: ##@Install Delete Metasploit chart
|
delete-chart: ##@Install Delete Metasploit chart
|
||||||
|
|
|
@ -1,4 +1,11 @@
|
||||||
# Running Metasploit Inside Kubernetes
|
|
||||||
|
# Running Metasploit Framework Inside Kubernetes
|
||||||
|
|
||||||
|
Running metasploit framework inside Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services.
|
||||||
|
|
||||||
|
The installation chart also offers to install & run metasploit framework with different priviliges and permissions with respect to Kubernetes node hosting metasploit, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml
|
||||||
|
|
||||||
|
# Installation
|
||||||
|
|
||||||
1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
|
1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
|
||||||
2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
|
2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
|
||||||
|
@ -7,6 +14,7 @@
|
||||||
3. Install the helm chart by running:
|
3. Install the helm chart by running:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
|
helm dep update ./metasploit
|
||||||
helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
|
helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: postgresql
|
- name: postgresql
|
||||||
repository: https://cetic.github.io/helm-charts
|
repository: https://charts.bitnami.com/bitnami
|
||||||
version: 0.2.1
|
version: 10.12.2
|
||||||
digest: sha256:6687cfdd86342c5b69a6db7e4be01b406443cf172a77828b4687309530db24ed
|
digest: sha256:04694bba08f5e004842d2b515d02ca6dabd796ee22933c131a5c814361df65af
|
||||||
generated: "2021-10-05T12:07:31.052625733+03:00"
|
generated: "2021-10-07T11:21:47.040108617+03:00"
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
name: metasploit
|
name: metasploit
|
||||||
description: A Helm chart for deployiong metasploit framework into Kubernetes
|
description: A Helm chart for deploying metasploit framework into Kubernetes
|
||||||
|
|
||||||
type: application
|
type: application
|
||||||
|
|
||||||
|
@ -18,12 +18,12 @@ icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg
|
||||||
sources:
|
sources:
|
||||||
- https://github.com/rapid7/metasploit-framework
|
- https://github.com/rapid7/metasploit-framework
|
||||||
maintainers:
|
maintainers:
|
||||||
- email: gadi_naor@rapid7.com
|
- email: msfdev@metasploit.com
|
||||||
name: Gadi Naor
|
name: Metasploit Hackers
|
||||||
|
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: postgresql
|
- name: postgresql
|
||||||
version: '0.2.1'
|
version: '10.12.2'
|
||||||
repository: https://cetic.github.io/helm-charts
|
repository: https://charts.bitnami.com/bitnami
|
||||||
alias: msfdb
|
alias: msfdb
|
|
@ -50,14 +50,3 @@ Selector labels
|
||||||
app.kubernetes.io/name: {{ include "metasploit.name" . }}
|
app.kubernetes.io/name: {{ include "metasploit.name" . }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create the name of the service account to use
|
|
||||||
*/}}
|
|
||||||
{{- define "metasploit.serviceAccountName" -}}
|
|
||||||
{{- if .Values.serviceAccount.create -}}
|
|
||||||
{{ default (include "metasploit.fullname" .) .Values.serviceAccount.name }}
|
|
||||||
{{- else -}}
|
|
||||||
{{ default "default" .Values.serviceAccount.name }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
|
@ -18,11 +18,15 @@ spec:
|
||||||
imagePullSecrets:
|
imagePullSecrets:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ include "metasploit.serviceAccountName" . }}
|
{{- if .Values.priviliges.useServiceAccount }}
|
||||||
|
serviceAccountName: {{ include "metasploit.fullname" . }}
|
||||||
|
{{ end }}
|
||||||
securityContext:
|
securityContext:
|
||||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
{{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ .Chart.Name }}
|
- name: {{ .Chart.Name }}
|
||||||
|
image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
command: ["/bin/bash"]
|
command: ["/bin/bash"]
|
||||||
tty: true
|
tty: true
|
||||||
stdin: true
|
stdin: true
|
||||||
|
@ -33,24 +37,11 @@ spec:
|
||||||
name: {{ include "metasploit.fullname" . }}
|
name: {{ include "metasploit.fullname" . }}
|
||||||
key: database-url
|
key: database-url
|
||||||
securityContext:
|
securityContext:
|
||||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
{{- toYaml .Values.priviliges.securityContext | nindent 12 }}
|
||||||
image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
|
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 4444
|
- containerPort: 4444
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
name: metasploit
|
name: metasploit
|
||||||
# - name: http
|
|
||||||
# containerPort: 80
|
|
||||||
# protocol: TCP
|
|
||||||
# livenessProbe:
|
|
||||||
# httpGet:
|
|
||||||
# path: /
|
|
||||||
# port: metasploit
|
|
||||||
# readinessProbe:
|
|
||||||
# httpGet:
|
|
||||||
# path: /
|
|
||||||
# port: metasploit
|
|
||||||
resources:
|
resources:
|
||||||
{{- toYaml .Values.resources | nindent 12 }}
|
{{- toYaml .Values.resources | nindent 12 }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
|
|
||||||
{{ $chartName := include "metasploit.fullname" . }}
|
{{ $chartName := include "metasploit.fullname" . }}
|
||||||
{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.username .Values.msfdb.password $chartName }}
|
{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.postgresqlUsername .Values.msfdb.postgresqlPassword $chartName }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
{{- if .Values.priviliges.useServiceAccount -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "metasploit.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "metasploit.labels" . | nindent 4 }}
|
||||||
|
|
||||||
|
---
|
||||||
|
{{- if ne .Values.priviliges.bindClusterRole "" -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "metasploit.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "metasploit.labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ .Values.priviliges.bindClusterRole }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "metasploit.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
|
@ -1,12 +0,0 @@
|
||||||
{{- if .Values.serviceAccount.create -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: {{ include "metasploit.serviceAccountName" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "metasploit.labels" . | nindent 4 }}
|
|
||||||
{{- with .Values.serviceAccount.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end -}}
|
|
|
@ -13,29 +13,32 @@ imagePullSecrets: []
|
||||||
nameOverride: ""
|
nameOverride: ""
|
||||||
fullnameOverride: ""
|
fullnameOverride: ""
|
||||||
|
|
||||||
serviceAccount:
|
priviliges:
|
||||||
# Specifies whether a service account should be created
|
# Disable Kubernetes API Server Access - even to the discovery APIs
|
||||||
create: true
|
useServiceAccount: false
|
||||||
# Annotations to add to the service account
|
# Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
|
||||||
annotations: {}
|
#bindClusterRole: cluster-admin
|
||||||
# The name of the service account to use.
|
|
||||||
# If not set and create is true, a name is generated using the fullname template
|
|
||||||
name:
|
|
||||||
|
|
||||||
podSecurityContext: {}
|
#
|
||||||
|
# Priviliges related to node hosting metasploit Pod
|
||||||
|
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||||
|
podSecurityContext: {}
|
||||||
# fsGroup: 2000
|
# fsGroup: 2000
|
||||||
|
# Metasploit container security context
|
||||||
securityContext: {}
|
securityContext: {}
|
||||||
|
#allowPrivilegeEscalation: false
|
||||||
# capabilities:
|
# capabilities:
|
||||||
|
# add:
|
||||||
|
# - NET_BIND_SERVICE
|
||||||
# drop:
|
# drop:
|
||||||
# - ALL
|
# - all
|
||||||
# readOnlyRootFilesystem: true
|
#runAsNonRoot: true
|
||||||
# runAsNonRoot: true
|
#runAsUser: 1000
|
||||||
# runAsUser: 1000
|
#runAsGroup: 1000
|
||||||
|
|
||||||
service:
|
service:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
port: 80
|
port: 4444
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
@ -43,12 +46,12 @@ ingress:
|
||||||
# kubernetes.io/ingress.class: nginx
|
# kubernetes.io/ingress.class: nginx
|
||||||
# kubernetes.io/tls-acme: "true"
|
# kubernetes.io/tls-acme: "true"
|
||||||
hosts:
|
hosts:
|
||||||
- host: chart-example.local
|
- host: metasploit.local
|
||||||
paths: []
|
paths: []
|
||||||
tls: []
|
tls: []
|
||||||
# - secretName: chart-example-tls
|
# - secretName: metasploit-tls
|
||||||
# hosts:
|
# hosts:
|
||||||
# - chart-example.local
|
# - metasploit.local
|
||||||
|
|
||||||
resources: {}
|
resources: {}
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||||
|
@ -68,11 +71,14 @@ tolerations: []
|
||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Postgres configuration (See chart.yaml dependencies)
|
||||||
|
#
|
||||||
msfdb:
|
msfdb:
|
||||||
image:
|
# image:
|
||||||
repository: postgres
|
# repository: postgres
|
||||||
tag: 10-alpine
|
# tag: 10-alpine
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
username: postgres
|
postgresqlUsername: postgres
|
||||||
password: postgres
|
postgresqlPassword: postgres
|
||||||
|
|
Loading…
Reference in New Issue