kdigger icon indicating copy to clipboard operation
kdigger copied to clipboard
verified publisher icon quarkslab

Add a pod security manifest fuzzer

Open mtardy opened this issue 3 years ago • 0 comments

POC for #10.

The idea would be to generate a random valid manifest in order to fuzz the admission control. Not in a traditional fuzzing sense, like finding crashes and bugs in the implementation of the admission, but finding loopholes in the admission rules.

It uses google/gofuzz and custom fuzzing functions to generate a random but somehow valid v1.SecurityContext that can be injected into a pod's manifest.

This POC should be extended to support more fields, like stated in the original idea issue:

This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.

In order to test this POC, checkout to the fuzz branch, compile with make and generate random SecurityContext with ./kdigger gen -f. You can generate multiples with something like that for example:

for _ in {0..10}; do ./kdigger gen -f -o json | jq '.spec.containers[].securityContext'; done

You can check against the API server if they are valid with:

./kdigger gen -f | kubectl apply --dry-run=server -f -

And by the way, I need to do an update on the main branch to scan the admission control with --dry-run by default.

mtardy avatar Oct 13 '22 13:10 mtardy