[core] Add configuration file

Makefile

@@ -41,6 +41,7 @@ thirdparty-licenses:
 
 mocks:
 	@echo "Generating mocks..."
+	@cd v2 && mockery --name=Config --dir internal/config --output internal/config/mocks
 	@cd v2 && mockery --name=StateManager --dir internal/state --output internal/state/mocks
 	@cd v2 && mockery --name=TerraformManager --dir pkg/stratus/runner --output pkg/stratus/runner/mocks
 	@cd v2 && mockery --name=FileSystem --structname FileSystemMock --dir internal/state --output internal/state/mocks

docs/user-guide/commands/detonate.md

@@ -1,12 +1,13 @@
 ---
 title: detonate
 ---
+
 # `stratus detonate`
 
 Detonates an attack technique.
 
-* If the technique was previously warmed up using `stratus warmup`, it will not be warmed up again.
-* Otherwise, `stratus detonate` will automatically warm up the technique before detonating it.
+- If the technique was previously warmed up using `stratus warmup`, it will not be warmed up again.
+- Otherwise, `stratus detonate` will automatically warm up the technique before detonating it.
 
 ## Sample Usage
 
@@ -20,4 +21,4 @@ stratus detonate aws.exfiltration.s3-backdoor-bucket-policy aws.defense-evasion.
 
 ```bash title="Detonate an attack technique, then automatically clean up any resources deployed on AWS"
 stratus detonate aws.exfiltration.s3-backdoor-bucket-policy --cleanup
-```
+```

docs/user-guide/commands/warmup.md

@@ -1,6 +1,7 @@
 ---
 title: warmup
 ---
+
 # `stratus warmup`
 
 "Warm up" an attack technique by spinning up the prerequisite infrastructure or configuration, without detonating it.
@@ -9,7 +10,6 @@ For example, the attack technique [Exfiltrate an AMI by Sharing It](https://stra
 
 ## Sample Usage
 
-
 ```bash title="Warm up an attack technique"
 stratus warmup aws.exfiltration.ec2-share-ami
 ```
@@ -20,4 +20,4 @@ stratus warmup aws.exfiltration.ec2-share-ami aws.exfiltration.s3-backdoor-bucke
 
 ```bash title="(advanced) Warm up again an attack technique that was already WARM, to ensure its prerequisites are met"
 stratus warmup aws.exfiltration.ec2-share-ami --force
-```
+```

docs/user-guide/getting-started.md

@@ -26,10 +26,10 @@ alias stratus="docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-te
 
 ## Concepts
 
-An <span class="concept">attack technique</span> is a granular TTP that has *prerequisites* infrastructure or configuration.
+An <span class="concept">attack technique</span> is a granular TTP that has _prerequisites_ infrastructure or configuration.
 You can see the list of attack techniques supported by Stratus Red Team [here](../attack-techniques/list.md).
 
-<span class="concept">Warming up</span> an attack technique means making sure its prerequisites are met, without detonating it. 
+<span class="concept">Warming up</span> an attack technique means making sure its prerequisites are met, without detonating it.
 Warm-up is a preparation phase, before executing the actual attack. Behind the scenes, Stratus Red Team transparently uses Terraform[^1] to spin up and tear down the prerequisites of each attack technique.
 
 <span class="concept">Detonating</span> an attack technique means executing it against a live environment, for instance against a test AWS account.
@@ -153,12 +153,11 @@ $ az account list
 export AZURE_SUBSCRIPTION_ID=45e0ad3f-ff94-499a-a2f0-bbb884e9c4a3
 ```
 
-!!! Note
+!!! note
 
     When using Stratus Red Team with Azure, the location in which resources are created cannot be configured and is
     fixed to `West US` (California). See why [here](https://github.com/DataDog/stratus-red-team/discussions/125).
 
-
 ### Microsoft Entra ID
 
 - Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) to authenticate against your Azure tenant:
@@ -183,13 +182,50 @@ export GOOGLE_PROJECT=your-project-id
 
 ### Kubernetes
 
-Stratus Red Team does not create a Kubernetes cluster for you. 
+Stratus Red Team does not create a Kubernetes cluster for you.
 Instead, it assumes you're already authenticated against a test Kubernetes cluster with kubectl and uses your default context.
 
 As a rule of thumb, Stratus Red Team detonates attack techniques against the cluster you see when running `kubectl cluster-info`.
 
 Tested with Minikube and AWS EKS.
 
+## Configuration File
+
+You can create a configuration file at `~/.stratus-red-team/config.yaml` to customize behavior:
+
+```yaml
+kubernetes:
+  default:
+    namespace: "security-testing" # Namespace for k8s techniques, for instance if your user is not allowed to create a namespace
+    # You can add labels that can help you find the generated IoCs, attribute the pod, etc.
+    labels:
+      app: "stratus-red-team"
+      team: "your-team-name"
+    tolerations: # Tolerations, in case your cluster requires this kind of information to schedule pods correctly
+      - key: "dedicated"
+        operator: "Equal"
+        value: "security"
+        effect: "NoSchedule"
+    nodeSelector:
+      team: "security"
+  techniques:
+    "k8s.privilege-escalation.privileged-pod":
+      image: "your-registry/busybox:stable"
+      tolerations: ...
+```
+
+This is currently only used in some Kubernetes attacks and allows you to:
+- Add labels to your pods (Attribution, CNP policy selectors, monitoring...)
+- Use a specific namespace instead of creating one (if you don't want to give permissions to create namespaces)
+- Override container images (useful when there are restrictions to use only images from private registries)
+- Add tolerations and node selectors for pod scheduling
+- Use a custom SecurityContext
+
+The kubernetes configuration has a default subsection. This subsection is applied to all techniques and can be overridden key by key in the techniques.attack-id subsection.
+
+!!! note
+
+    Use the `STRATUS_CONFIG_PATH` environment variable to use a config file at a different location.
 
 Encountering issues? See our [troubleshooting](./troubleshooting.md) page, or [open an issue](https://github.com/DataDog/stratus-red-team/issues/new/choose).
 

v2/go.mod

@@ -48,6 +48,7 @@ require (
 	github.com/microsoftgraph/msgraph-beta-sdk-go v0.108.0
 	github.com/microsoftgraph/msgraph-sdk-go-core v1.2.1
 	github.com/spf13/cobra v1.6.0
+	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/oauth2 v0.27.0
 	golang.org/x/sync v0.16.0
@@ -87,11 +88,13 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -120,18 +123,25 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/std-uritemplate/std-uritemplate/go v0.0.57 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
 	go.opentelemetry.io/otel v1.34.0 // indirect
 	go.opentelemetry.io/otel/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.26.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/term v0.34.0 // indirect

v2/go.sum

@@ -166,6 +166,10 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
@@ -187,6 +191,8 @@ github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
 github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
@@ -313,6 +319,8 @@ github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU=
 github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
 github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
 github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -326,15 +334,26 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
+github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
 github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v1.6.0 h1:42a0n6jwCot1pUmomAp4T7DeMD+20LFv4Q54pxLf2LI=
 github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
+github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/std-uritemplate/std-uritemplate/go v0.0.57 h1:GHGjptrsmazP4IVDlUprssiEf9ESVkbjx15xQXXzvq4=
 github.com/std-uritemplate/std-uritemplate/go v0.0.57/go.mod h1:rG/bqh/ThY4xE5de7Rap3vaDkYUT76B0GPJ0loYeTTc=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
@@ -349,6 +368,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -373,6 +394,8 @@ go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiy
 go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
 go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
 go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

v2/internal/attacktechniques/k8s/credential-access/steal-serviceaccount-token/main.go

@@ -3,14 +3,15 @@ package kubernetes
 import (
 	_ "embed"
 	"errors"
+	"log"
+	"strings"
+
 	"github.com/datadog/stratus-red-team/v2/pkg/stratus"
 	"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
 	"github.com/golang-jwt/jwt/v4"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/remotecommand"
-	"log"
-	"strings"
 )
 
 //go:embed main.tf
@@ -78,6 +79,7 @@ Sample event (shortened):
 ` + codeBlock + `
 `,
 		PrerequisitesTerraformCode: tf,
+		TerraformOverrideConfig:    []string{"kubernetes.namespace", "kubernetes.pod.image", "kubernetes.pod.labels", "kubernetes.pod.node_selector", "kubernetes.pod.tolerations"},
 		Detonate:                   detonate,
 	})
 }

v2/internal/attacktechniques/k8s/credential-access/steal-serviceaccount-token/main.tf

@@ -7,12 +7,51 @@ terraform {
   }
 }
 
+variable "config" {
+  type = object({
+    kubernetes = object({
+      namespace = optional(string, "")
+      pod = optional(object({
+        image         = optional(string, "")
+        labels        = optional(map(string), {})
+        node_selector = optional(map(string), {})
+        tolerations = optional(list(object({
+          key      = string
+          operator = string
+          value    = string
+          effect   = string
+        })), [])
+      }), { image = "", labels = {}, node_selector = {}, tolerations = [] })
+    })
+  })
+  default = {
+    kubernetes = {
+      namespace = ""
+      pod = {
+        image         = ""
+        labels        = {}
+        node_selector = {}
+        tolerations   = []
+      }
+    }
+  }
+}
+
 locals {
   kubeconfig_path = pathexpand("~/.kube/config")
-  namespace       = format("stratus-red-team-%s", random_string.suffix.result)
-  labels = {
+
+  base_labels = {
     "datadoghq.com/stratus-red-team" : true
   }
+  custom_labels = var.config.kubernetes.pod.labels
+  labels        = merge(local.base_labels, local.custom_labels)
+
+  create_namespace  = var.config.kubernetes.namespace == ""
+  generated_ns_name = format("stratus-red-team-%s", random_string.suffix.result)
+  namespace         = local.create_namespace ? local.generated_ns_name : var.config.kubernetes.namespace
+
+  image = var.config.kubernetes.pod.image != "" ? var.config.kubernetes.pod.image : "public.ecr.aws/docker/library/alpine:3.15.0"
+
   resource_prefix = "stratus-red-team-ssat" # stratus red team steal service account token
 }
 
@@ -29,8 +68,9 @@ resource "random_string" "suffix" {
 }
 
 resource "kubernetes_namespace" "namespace" {
+  count = local.create_namespace ? 1 : 0
   metadata {
-    name   = local.namespace
+    name   = local.generated_ns_name
     labels = local.labels
   }
 }
@@ -39,7 +79,7 @@ resource "kubernetes_service_account" "serviceaccount" {
   metadata {
     name      = format("%s-sa", local.resource_prefix)
     labels    = local.labels
-    namespace = kubernetes_namespace.namespace.metadata[0].name
+    namespace = local.namespace
   }
 }
 
@@ -51,23 +91,33 @@ resource "kubernetes_pod" "pod" {
   }
   spec {
     service_account_name = kubernetes_service_account.serviceaccount.metadata[0].name
+    node_selector        = var.config.kubernetes.pod.node_selector
     container {
-      image   = "public.ecr.aws/docker/library/alpine:3.15.0"
+      image   = local.image
       name    = "main-container"
       command = ["/bin/sh"]
       args    = ["-c", "while true; do sleep 3600; done"]
     }
+    dynamic "toleration" {
+      for_each = var.config.kubernetes.pod.tolerations
+      content {
+        key      = toleration.value.key
+        operator = toleration.value.operator
+        value    = toleration.value.value
+        effect   = toleration.value.effect
+      }
+    }
   }
 }
 
 output "namespace" {
-  value = kubernetes_namespace.namespace.metadata[0].name
+  value = local.namespace
 }
 
 output "pod_name" {
   value = kubernetes_pod.pod.metadata[0].name
 }
 
 output "display" {
-  value = format("Pod %s in namespace %s ready", kubernetes_pod.pod.metadata[0].name, kubernetes_namespace.namespace.metadata[0].name)
+  value = format("Pod %s in namespace %s ready", kubernetes_pod.pod.metadata[0].name, local.namespace)
 }