Create a new file called new-network.xml with the following content:
<network>
<name>custom-net</name>
ralvares
/ gist:76ad83e03d2f6b804f4b5a8a33740896
Created
July 7, 2025 06:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Kubernetes Tier 1 Threat Hunting Demo with Audit Logs | |
| This is a full step-by-step demo for hunting Kubernetes threats using audit logs on an OpenShift cluster with access to `/var/log/kube-apiserver/audit.log`. It simulates a realistic attacker scenario where a pod is compromised and its ServiceAccount is used to escalate privileges and perform malicious actions. | |
| All actions happen in the **`default` namespace**, and detections rely **only on verbs, resources, and subresources** — no assumptions about usernames, pod names, or namespaces. | |
| --- | |
| ## Step 0: Create Pod with kubectl and curl (Attacker foothold) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: platform.stackrox.io/v1alpha1 | |
| kind: SecuredCluster | |
| metadata: | |
| name: stackrox-secured-cluster-services | |
| namespace: stackrox | |
| spec: | |
| sensor: | |
| resources: | |
| requests: | |
| cpu: 10m |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: platform.stackrox.io/v1alpha1 | |
| kind: SecuredCluster | |
| metadata: | |
| name: stackrox-secured-cluster-services | |
| namespace: stackrox | |
| spec: | |
| customize: | |
| envVars: | |
| - name: ROX_SCANNER_V4_RED_HAT_CVES | |
| value: 'true' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: platform.stackrox.io/v1alpha1 | |
| kind: Central | |
| metadata: | |
| name: stackrox-central-services | |
| namespace: stackrox | |
| spec: | |
| customize: | |
| envVars: | |
| - name: ROX_EXTERNAL_IPS | |
| value: 'true' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DOCKER_CONFIG_JSON=`oc extract secret/pull-secret -n openshift-config --to=-` | |
| oc create secret generic multiclusterhub-operator-pull-secret \ | |
| -n open-cluster-management-observability \ | |
| --from-literal=.dockerconfigjson="$DOCKER_CONFIG_JSON" \ | |
| --type=kubernetes.io/dockerconfigjson | |
| ACCESS_KEY="" | |
| SECRET_KEY="" |
ralvares
/ generate_netpol.sh
Last active
March 9, 2023 13:42
Generate Network Policies using roxctl (npguard) from running deployments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if [ $# -eq 0 ] | |
| then | |
| echo "try: $0 payments-v2 frontend backend" | |
| exit 1 | |
| fi | |
| > netpols.yaml | |
| for namespace in $@ | |
| do |
ralvares
/ secured-cluster.yaml
Created
February 17, 2023 09:17
rhacs yaml definition adding proxy configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: platform.stackrox.io/v1alpha1 | |
| kind: SecuredCluster | |
| metadata: | |
| name: stackrox-secured-cluster-services | |
| namespace: stackrox | |
| spec: | |
| admissionControl: | |
| bypass: BreakGlassAnnotation | |
| contactImageScanners: DoNotScanInline | |
| listenOnCreates: true |
ralvares
/ rhacs-image-puller-serviceaccount.yaml
Created
February 17, 2023 09:06
Integrating RHACS scanner with the internal ocp registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| namespace: stackrox | |
| name: stackrox-image-puller | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: stackrox-image-puller-clusterrolebinding |
ralvares
/ disable_default_policies.sh
Created
February 6, 2023 13:17
Disable all the default policies from RHACS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [[ -z "${ROX_ENDPOINT}" ]]; then | |
| echo >&2 "ROX_ENDPOINT must be set" | |
| exit 1 | |
| fi | |
| if [[ -z "${ROX_API_TOKEN}" ]]; then | |
| echo >&2 "ROX_API_TOKEN must be set" | |
| exit 1 |
NewerOlder