ralvares

The supported OpenShift Secrets Store CSI Driver Operator (available in OpenShift 4.14+) requires specific privileges to manage the lifecycle of the driver and its providers.

To understand the privileges, it's best to look at three distinct layers: the Operator, the Driver/Providers, and your Application Workloads.

1. The Operator Privileges

The operator itself runs in the openshift-cluster-csi-drivers namespace.

• Role: It acts as a controller that manages the deployment of the CSI driver (DaemonSet) and the required Custom Resource Definitions (CRDs).
• RBAC: It has cluster-wide permissions to manage ClusterCSIDriver objects, DaemonSets, ServiceAccounts, and the Secrets Store CRDs (SecretProviderClass and SecretProviderClassPodStatus).

ralvares

oc debug node/api.crc.testing -- chroot /host /bin/bash -c "sed 's/profile: Default/profile: WriteRequestBodies/' /etc/microshift/config.yaml.default > /etc/microshift/config.yaml && systemctl restart microshift"

ralvares

#!/usr/bin/env bash
set -euo pipefail

REGISTRY="quay.io/hummingbird"

REPOS=(
  curl
  core-runtime
  dotnet-sdk
  openjdk

ralvares

apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  name: stackrox-secured-cluster-services
  namespace: stackrox
spec:
  customize:
    envVars:
      - name: ROX_SCANNER_V4_RED_HAT_CVES
        value: 'true'

ralvares

apiVersion: platform.stackrox.io/v1alpha1
kind: Central
metadata:
  name: stackrox-central-services
  namespace: stackrox
spec:
  customize:
    envVars:
      - name: ROX_EXTERNAL_IPS
        value: 'true'

ralvares

oc create sa loki-sa -n netobserv

#DONT DO THIS### TESTING ONLY
oc adm policy add-scc-to-user privileged -z loki-sa -n netobserv
####

####
apiVersion: v1
kind: PersistentVolumeClaim
metadata:

ralvares

# Kubernetes Tier 1 Threat Hunting Demo with Audit Logs

This is a full step-by-step demo for hunting Kubernetes threats using audit logs on an OpenShift cluster with access to `/var/log/kube-apiserver/audit.log`. It simulates a realistic attacker scenario where a pod is compromised and its ServiceAccount is used to escalate privileges and perform malicious actions.

All actions happen in the **`default` namespace**, and detections rely **only on verbs, resources, and subresources** — no assumptions about usernames, pod names, or namespaces.

---

## Step 0: Create Pod with kubectl and curl (Attacker foothold)

ralvares

How to Create and Attach a New Network to KVM VMs Using virsh

1. Create a New Libvirt Network

1.1 Define the Network in XML

Create a new file called new-network.xml with the following content:

<network>
  <name>custom-net</name>

ralvares

apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  name: stackrox-secured-cluster-services
  namespace: stackrox
spec:
  sensor:
    resources:
      requests:
        cpu: 10m

ralvares

apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  name: stackrox-secured-cluster-services
  namespace: stackrox
spec:
  customize:
    envVars:
      - name: ROX_SCANNER_V4_RED_HAT_CVES
        value: 'true'