Malicious Webhook Admission Controller

This is a ‘malicious’ webhook admission controller that I developed to learn how to write admission controllers in Go.

The controller allows an attacker to maintain persistence in a Kubernetes cluster through manifest re-writes when they are submitted to the cluster.

The controller will add ‘slixperi says this could have been a total yaml re-write’ as a label to any pod being created (with the label field in the original pod.yaml) in the webhookdemo namespace (sorry skripties).

Thanks to for the wonderful demonstration in the fundamentals and template files.

Future work: I’ll prolly make this into something sneakier once I learn a bit more about how Kubernetes works under the hood. For now its discoverable through any sort of AdmissionController monitoring or kubectl describe pod [pod name].


View Github