- switch to Bitnami postgresql repo
- Remove chart dependency - Update readme - Added configuration options to control various run priviliges
This commit is contained in:
parent
443fcb21c4
commit
1d31540e93
|
@ -0,0 +1,2 @@
|
|||
metasploit/charts
|
||||
metasploit.yaml
|
|
@ -19,6 +19,7 @@ generate-deployment: ##@Generate Generate K8S installation
|
|||
helm template metasploit metasploit > metasploit.yaml
|
||||
|
||||
install-chart: ##@Install Install Metasploit chart
|
||||
find -- metasploit/charts -prune -type d -empty || helm dep update ./metasploit
|
||||
helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
|
||||
|
||||
delete-chart: ##@Install Delete Metasploit chart
|
||||
|
|
|
@ -1,4 +1,11 @@
|
|||
# Running Metasploit Inside Kubernetes
|
||||
|
||||
# Running Metasploit Framework Inside Kubernetes
|
||||
|
||||
Running metasploit framework inside Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services.
|
||||
|
||||
The installation chart also offers to install & run metasploit framework with different priviliges and permissions with respect to Kubernetes node hosting metasploit, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml
|
||||
|
||||
# Installation
|
||||
|
||||
1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
|
||||
2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
|
||||
|
@ -7,6 +14,7 @@
|
|||
3. Install the helm chart by running:
|
||||
|
||||
```sh
|
||||
helm dep update ./metasploit
|
||||
helm upgrade --create-namespace -i -n metasploit metasploit ./metasploit
|
||||
```
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
dependencies:
|
||||
- name: postgresql
|
||||
repository: https://cetic.github.io/helm-charts
|
||||
version: 0.2.1
|
||||
digest: sha256:6687cfdd86342c5b69a6db7e4be01b406443cf172a77828b4687309530db24ed
|
||||
generated: "2021-10-05T12:07:31.052625733+03:00"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 10.12.2
|
||||
digest: sha256:04694bba08f5e004842d2b515d02ca6dabd796ee22933c131a5c814361df65af
|
||||
generated: "2021-10-07T11:21:47.040108617+03:00"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v2
|
||||
name: metasploit
|
||||
description: A Helm chart for deployiong metasploit framework into Kubernetes
|
||||
description: A Helm chart for deploying metasploit framework into Kubernetes
|
||||
|
||||
type: application
|
||||
|
||||
|
@ -18,12 +18,12 @@ icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg
|
|||
sources:
|
||||
- https://github.com/rapid7/metasploit-framework
|
||||
maintainers:
|
||||
- email: gadi_naor@rapid7.com
|
||||
name: Gadi Naor
|
||||
- email: msfdev@metasploit.com
|
||||
name: Metasploit Hackers
|
||||
|
||||
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
version: '0.2.1'
|
||||
repository: https://cetic.github.io/helm-charts
|
||||
version: '10.12.2'
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
alias: msfdb
|
|
@ -50,14 +50,3 @@ Selector labels
|
|||
app.kubernetes.io/name: {{ include "metasploit.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "metasploit.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "metasploit.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
@ -18,11 +18,15 @@ spec:
|
|||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "metasploit.serviceAccountName" . }}
|
||||
{{- if .Values.priviliges.useServiceAccount }}
|
||||
serviceAccountName: {{ include "metasploit.fullname" . }}
|
||||
{{ end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
{{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
command: ["/bin/bash"]
|
||||
tty: true
|
||||
stdin: true
|
||||
|
@ -33,24 +37,11 @@ spec:
|
|||
name: {{ include "metasploit.fullname" . }}
|
||||
key: database-url
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
{{- toYaml .Values.priviliges.securityContext | nindent 12 }}
|
||||
ports:
|
||||
- containerPort: 4444
|
||||
protocol: TCP
|
||||
name: metasploit
|
||||
# - name: http
|
||||
# containerPort: 80
|
||||
# protocol: TCP
|
||||
# livenessProbe:
|
||||
# httpGet:
|
||||
# path: /
|
||||
# port: metasploit
|
||||
# readinessProbe:
|
||||
# httpGet:
|
||||
# path: /
|
||||
# port: metasploit
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
|
||||
{{ $chartName := include "metasploit.fullname" . }}
|
||||
{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.username .Values.msfdb.password $chartName }}
|
||||
{{ $dburl := printf "postgres://%s:%s@%s-msfdb:5432/msf?pool=200&timeout=5" .Values.msfdb.postgresqlUsername .Values.msfdb.postgresqlPassword $chartName }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
{{- if .Values.priviliges.useServiceAccount -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "metasploit.fullname" . }}
|
||||
labels:
|
||||
{{- include "metasploit.labels" . | nindent 4 }}
|
||||
|
||||
---
|
||||
{{- if ne .Values.priviliges.bindClusterRole "" -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "metasploit.fullname" . }}
|
||||
labels:
|
||||
{{- include "metasploit.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ .Values.priviliges.bindClusterRole }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "metasploit.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -1,12 +0,0 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "metasploit.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "metasploit.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -13,29 +13,32 @@ imagePullSecrets: []
|
|||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name:
|
||||
priviliges:
|
||||
# Disable Kubernetes API Server Access - even to the discovery APIs
|
||||
useServiceAccount: false
|
||||
# Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
|
||||
#bindClusterRole: cluster-admin
|
||||
|
||||
podSecurityContext: {}
|
||||
#
|
||||
# Priviliges related to node hosting metasploit Pod
|
||||
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# Metasploit container security context
|
||||
securityContext: {}
|
||||
#allowPrivilegeEscalation: false
|
||||
# capabilities:
|
||||
# add:
|
||||
# - NET_BIND_SERVICE
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
# - all
|
||||
#runAsNonRoot: true
|
||||
#runAsUser: 1000
|
||||
#runAsGroup: 1000
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
port: 4444
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
|
@ -43,12 +46,12 @@ ingress:
|
|||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- host: chart-example.local
|
||||
- host: metasploit.local
|
||||
paths: []
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# - secretName: metasploit-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
# - metasploit.local
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
|
@ -68,11 +71,14 @@ tolerations: []
|
|||
|
||||
affinity: {}
|
||||
|
||||
#
|
||||
# Postgres configuration (See chart.yaml dependencies)
|
||||
#
|
||||
msfdb:
|
||||
image:
|
||||
repository: postgres
|
||||
tag: 10-alpine
|
||||
# image:
|
||||
# repository: postgres
|
||||
# tag: 10-alpine
|
||||
persistence:
|
||||
enabled: true
|
||||
username: postgres
|
||||
password: postgres
|
||||
postgresqlUsername: postgres
|
||||
postgresqlPassword: postgres
|
||||
|
|
Loading…
Reference in New Issue