Open
Conversation
Minosity-VR
force-pushed
the
simon.marechal/k8s-given-ns
branch
from
7ff7171 to
ef3959a
Compare
Minosity-VR
force-pushed
the
simon.marechal/k8s-given-ns
branch
from
71d9363 to
3e3eff0
Compare
Minosity-VR
changed the title
christophetd
force-pushed
the
simon.marechal/k8s-given-ns
branch
from
2ef4bbf to
31c6d3a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Enhancement
Add a config file to customise the attack techniques, specifically the Kubernetes ones by passing config overrides to the deployed terraform resources.
The config file is entirely optional. If not set by the user, no config file is created, no terraform variables are passed to the state manager, no variable files are persisted to disk...
Motivation
When running Stratus Red Team in a Kubernetes cluster, it uses the user's identity. The user may not have the permission to create a namespace, blocking all k8s attacks that need a place to deploy a pod at warmup step.
The objective of this PR is to allow the user to target an existing namespace to deploy the pods.
We stay close to the Stratus Red Team philosophy of "The attack technique makes no assumption about the state of the environment prior to warming it up" because the only expectation is an existing namespace which is not 'volatile' (it's not much more than expecting the cluster to actually be there). We do not allow to directly target a pod though, as assuming anything on a k8s object that is ephemeral by design would go against this principle.
This also adds the possibility to customise pods images/labels/tolerations/node_placement - some clusters have given Node Groups, Cilium Network Policies, Container registry policies... that require those values to be set for the pod to be correctly scheduled and started.
Changes
config.yamlfile. This file can be set in<stratus_root>/config.yaml(stratus_rootis~/.stratus-red-team/by default), or pointed by the env varSTRATUS_CONFIG_PATH.namespacevariable. If set, SRT will not try to create a new namespace for the attacks, but use the provided one.The config code is meant to be platform agnostic - the only parts that needs to be set platform by platform are the override system and the conversion to a go object to be used in the code directly.
For instance for k8s:
defaultkey and atechniqueskey. If a key exists in both subsets, the technique one overrides the default oneK8sPodConfigstructure to be applied in the code directly, as some attack do not create the resource with terraform but directly with an API call and require this information.There is no constraint on what is set in the config file, as long as it's valid yaml. The source of truth and reference for the variable used in an attack is the
TerraformOverrideConfigarray.If a terraform file defines a config variable and expect it to be filled by the config, it must declare it in its
TerraformOverrideConfig.Example
If I try to run Stratus Red Team in a cluster where I don't have the permission to create namespaces, I will have the following error:
But if I create a config file specifying a namespace I control where I am allowed to deploy pods:
STRATUS_CONFIG_PATH=/Users/simon.marechal/stratus/config.yaml ./bin/stratus detonate k8s.privilege-escalation. privileged-pod 2026/02/26 17:17:08 Checking your authentication against kubernetes 2026/02/26 17:17:11 Warming up k8s.privilege-escalation.privileged-pod 2026/02/26 17:17:11 Applying Terraform to spin up technique prerequisites 2026/02/26 17:17:12 Namespace stratus-training ready 2026/02/26 17:17:13 Creating privileged pod k8s.privilege-escalation.privileged-pod 2026/02/26 17:17:13 Privileged pod k8s.privilege-escalation.privileged-pod created in namespace stratus-trainingQA Instructions
make testdocker build .terraform fmt -recursive -checkinv2/internal/attacktechniques- skipped, not relevantstratus detonateworks with or without config file