feat(skills): add Kubernetes security testing skill#394
Conversation
….md) Add comprehensive Kubernetes cluster security testing knowledge package covering RBAC misconfigurations, exposed APIs, container escapes, network policy gaps, secret management issues, workload misconfigs, and supply chain risks. Closes usestrix#324 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Greptile SummaryAdds Confidence Score: 5/5Safe to merge; only one minor P2 style issue remains with the cgroup subsystem choice in the escape snippet All three previously blocking issues are resolved, the skill content is technically accurate, and the single remaining finding is a P2 suggestion that does not affect correctness of the skill as a knowledge document No files require special attention Important Files Changed
Prompt To Fix All With AIThis is a comment left during a code review.
Path: strix/skills/cloud/kubernetes.md
Line: 83
Comment:
**`rdma` cgroup subsystem may not be available**
`mount -t cgroup -o rdma` requires `CONFIG_CGROUP_RDMA` to be compiled into the kernel, which is optional and absent on many production Linux distributions and cloud-provider node images. An agent following this command on such a node will get a mount failure and silently fail the entire escape attempt. The `memory` subsystem is available on virtually every kernel that supports cgroup v1.
```suggestion
mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
```
How can I resolve this? If you propose a fix, please make it concise.Reviews (4): Last reviewed commit: "Clarify cgroup escape requirements" | Re-trigger Greptile |
| - Client certificates (kubeconfig files, often found in CI/CD configs, home dirs, cloud storage) | ||
| - OIDC tokens, webhook tokens, cloud provider IAM-to-K8s mappings (EKS IRSA, GKE Workload Identity) | ||
| - Anonymous access (disabled by default since 1.6 but still found in the wild) | ||
|
|
There was a problem hiding this comment.
Anonymous auth is enabled by default, not disabled
The parenthetical (disabled by default since 1.6 but still found in the wild) is factually backwards. The --anonymous-auth flag defaults to true in every Kubernetes release, including 1.6+. Unauthenticated requests receive the identity system:anonymous / system:unauthenticated. What changed in 1.6 is that the RBAC authorizer became the default and system:unauthenticated no longer has a default ClusterRole binding — so anonymous auth is on but unprivileged by default.
An agent reading this will assume the API server rejects anonymous requests unless explicitly misconfigured, and may skip probing for anonymous access on clusters where anonymous auth is working as-shipped (enabled, no useful RBAC). The correct framing:
| - Anonymous access (enabled by default but grants no permissions unless explicitly bound via RBAC; the API server accepts anonymous requests and assigns `system:unauthenticated` group membership by default) |
Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/skills/cloud/kubernetes.md
Line: 32
Comment:
**Anonymous auth is enabled by default, not disabled**
The parenthetical `(disabled by default since 1.6 but still found in the wild)` is factually backwards. The `--anonymous-auth` flag defaults to `true` in every Kubernetes release, including 1.6+. Unauthenticated requests receive the identity `system:anonymous` / `system:unauthenticated`. What changed in 1.6 is that the RBAC authorizer became the default and `system:unauthenticated` no longer has a default ClusterRole binding — so anonymous auth is **on** but **unprivileged** by default.
An agent reading this will assume the API server rejects anonymous requests unless explicitly misconfigured, and may skip probing for anonymous access on clusters where anonymous auth is working as-shipped (enabled, no useful RBAC). The correct framing:
```suggestion
- Anonymous access (enabled by default but grants no permissions unless explicitly bound via RBAC; the API server accepts anonymous requests and assigns `system:unauthenticated` group membership by default)
```
How can I resolve this? If you propose a fix, please make it concise.|
|
||
| 1. Start with `kubectl auth can-i --list` to understand your blast radius before probing anything | ||
| 2. Service account tokens in `/var/run/secrets/` are your first pivot point from any compromised pod | ||
| 3. Test metadata endpoint access early - cloud credentials from pods are the fastest path to cluster-admin |
There was a problem hiding this comment.
Pro Tip #6 conflates
privileged and CAP_SYS_ADMIN as independent co-requirements
privileged: true already grants every Linux capability, including CAP_SYS_ADMIN. Telling an agent they must find both will cause it to skip the cgroup release_agent escape for pods that have only CAP_SYS_ADMIN explicitly granted (without privileged: true) — which is a real and common scenario. The Container Escapes section above correctly states "CAP_SYS_ADMIN + unconfined AppArmor" is sufficient on its own; this tip contradicts that.
| 3. Test metadata endpoint access early - cloud credentials from pods are the fastest path to cluster-admin | |
| 6. Container escapes via cgroup release_agent require `CAP_SYS_ADMIN` (granted by `privileged: true` or as a standalone capability) and an unconfined AppArmor/seccomp profile - either condition grants the mount syscall needed for the technique |
Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/skills/cloud/kubernetes.md
Line: 213
Comment:
**Pro Tip #6 conflates `privileged` and `CAP_SYS_ADMIN` as independent co-requirements**
`privileged: true` already grants every Linux capability, including `CAP_SYS_ADMIN`. Telling an agent they must find *both* will cause it to skip the cgroup release_agent escape for pods that have only `CAP_SYS_ADMIN` explicitly granted (without `privileged: true`) — which is a real and common scenario. The Container Escapes section above correctly states "`CAP_SYS_ADMIN` + unconfined AppArmor" is sufficient on its own; this tip contradicts that.
```suggestion
6. Container escapes via cgroup release_agent require `CAP_SYS_ADMIN` (granted by `privileged: true` or as a standalone capability) and an unconfined AppArmor/seccomp profile - either condition grants the mount syscall needed for the technique
```
How can I resolve this? If you propose a fix, please make it concise.|
Thanks @mvanhorn, merging now! |
|
Thanks for landing the Kubernetes security skill, @bearsyankees. |
* feat(skills): add Kubernetes security testing skill (cloud/kubernetes.md) Add comprehensive Kubernetes cluster security testing knowledge package covering RBAC misconfigurations, exposed APIs, container escapes, network policy gaps, secret management issues, workload misconfigs, and supply chain risks. Closes usestrix#324 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix Kubernetes secret decode command * Address Kubernetes review feedback * Clarify cgroup escape requirements --------- Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: bearsyankees <bearsyankees@gmail.com>
* feat(skills): add Kubernetes security testing skill (cloud/kubernetes.md) Add comprehensive Kubernetes cluster security testing knowledge package covering RBAC misconfigurations, exposed APIs, container escapes, network policy gaps, secret management issues, workload misconfigs, and supply chain risks. Closes usestrix#324 * Fix Kubernetes secret decode command * Address Kubernetes review feedback * Clarify cgroup escape requirements --------- Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: bearsyankees <bearsyankees@gmail.com>
Summary
Adds
strix/skills/cloud/kubernetes.md- the first skill in thecloud/category. Covers 7 attack domains for Kubernetes cluster security testing.Why this matters
The
cloud/directory has a.gitkeepplaceholder but zero skills (#324). Strix has 17 vulnerability skills, 9 tooling skills, and 3 framework skills - but no cloud infrastructure coverage. Kubernetes is the most common container orchestration target, and agents currently lack the domain knowledge to test it.Changes
One new file:
strix/skills/cloud/kubernetes.md(218 lines)Covers:
Each section includes specific
kubectlcommands, curl probes, and validation methods. Format matches the existing SSRF skill (the gold standard at 182 lines).No code changes. The skill loader in
strix/skills/__init__.pyauto-discovers.mdfiles in category directories.Video Demo
Testing
No Python changes -
make check-allis unaffected. The skill is a markdown knowledge package that gets injected into agent system prompts at runtime.This contribution was developed with AI assistance (Claude Code).
Fixes #324