ワンクリックでManusで任意のスキルを実行

security-testing

スター24

フォーク3

更新日2026年3月23日 02:56

Adversarial security testing methodology for the Kubernetes homelab. Covers network policy evasion, authentication bypass, privilege escalation, credential theft, and supply chain attacks. Use when: (1) Red team testing against the homelab, (2) Validating network policy enforcement, (3) Testing WAF bypass on external gateway, (4) Probing authentication layers, (5) Assessing container escape paths, (6) Auditing RBAC and service accounts, (7) Testing supply chain security of OCI promotion pipeline. Triggers: "security test", "red team", "pentest", "penetration test", "attack surface", "WAF bypass", "network policy evasion", "privilege escalation", "lateral movement", "credential theft", "container escape", "RBAC audit", "security audit", "vulnerability"

インストール

Codex または Claude でインストールこの Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。

Manusで実行

ソース

ionfury

ionfury/homelab

GitHub リポジトリを開く Creator のリポジトリを見る

ダウンロード

Manusで実行

Security Testing Methodology

AUTHORIZED SCOPE: Dev cluster only. Integration and live clusters are read-only per CLAUDE.md.

See references/attack-surface.md for the full inventory of known weaknesses, exploitation notes, and severity ratings per layer (Network, Gateway, Auth, Authorization, Container, Supply Chain, Credential).

All bash commands are in references/test-commands.md.

Phase 1: Network Policy Testing

Test intra-namespace lateral movement (the baseline-intra-namespace CCNP allows free pod-to-pod communication within a namespace — expect full access). Test cross-namespace escape by verifying that isolated and internal profile pods cannot reach other namespaces or the internet (DNS always succeeds — this is a known exfiltration path). Test Prometheus label impersonation: if the baseline-prometheus-scrape CCNP uses label-only matching, any pod with the right label can bypass namespace boundaries (NET-001). Test escape hatch abuse by enumerating which service accounts can label namespaces.

Commands: see references/test-commands.md#phase-1-network-policy-testing

Phase 2: Authentication & WAF Testing

Test Coraza WAF bypass using double-encoding and JSON body SQLi — the OWASP CRS at Paranoia Level 1 blocks standard patterns but may miss encoding variations. Verify WAF FAIL_OPEN: if coraza_waf_requests_total returns no results, the WASM module may have failed and traffic is unfiltered (GW-001). Test the Vaultwarden admin panel: the HTTPRoute redirect operates at the gateway but direct pod IP access bypasses it entirely. Inspect OAuth2-Proxy cookies for missing httponly, samesite, or short expiry.

Commands: see references/test-commands.md#phase-2-authentication--waf-testing

Phase 3: Privilege Escalation

Enumerate pods with automounted service account tokens — the homepage SA has cluster-wide read access (AUTHZ-001). Scan for containers running as root or with elevated capabilities. Identify pods opted out of the Istio mesh (no mTLS protection). Enumerate RBAC bindings that reach the external-secrets-access-key in kube-system: it's a static AWS IAM key with read access to all SSM parameters (CRED-001). Test whether the Garage S3 admin API is reachable from the gateway pod.

Commands: see references/test-commands.md#phase-3-privilege-escalation

Phase 4: Data Exfiltration Paths

DNS tunneling works from any namespace including isolated — base64-encode data into subdomain queries. Prometheus is reachable from the monitoring namespace without auth and exposes full service topology and node inventory via the API. Loki allows unauthenticated push from any pod that can reach it (monitoring CNP allows fromEntities: cluster on port 3100).

Commands: see references/test-commands.md#phase-4-data-exfiltration-paths

Phase 5: Supply Chain

Enumerate Flux sources and receivers to understand where git credentials and webhook tokens are stored. Probe the PXE boot service — it is reachable from any namespace and could serve malicious iPXE scripts if compromised.

Commands: see references/test-commands.md#phase-5-supply-chain

Cleanup

Run after every test session:

kubectl --context dev delete pod sectest fake-prom -n <ns> --ignore-not-found
kubectl --context dev delete httproute sectest-route-injection -n <ns> --ignore-not-found
kubectl --context dev label namespace <ns> network-policy.homelab/enforcement- 2>/dev/null
kubectl --context dev get pods -A | grep sectest

Finding Severity Guide

See references/attack-surface.md for the severity classification table (Critical/High/Medium/Low/Informational).

Cross-References

references/attack-surface.md — Known weaknesses inventory (NET, GW, AUTH, AUTHZ, CTR, CRED, SC layers)
references/test-commands.md — All bash commands organized by phase
network-policy SKILL — Cilium policy architecture
gateway-routing SKILL — Gateway API, TLS, WAF configuration
k8s SKILL — Cluster access patterns

Keywords

security testing, red team, penetration testing, network policy evasion, WAF bypass, authentication bypass, privilege escalation, lateral movement, container escape, RBAC audit, credential theft, supply chain attack, DNS tunneling, log injection

このリポジトリの他の Skills

同じリポジトリ

dashboard-design

ionfury/homelab

Visual design and layout for Grafana dashboards — panel hierarchy, type selection, color/threshold design, and iterative screenshot-based refinement. Use when: (1) Deciding what panels belong on a new dashboard, (2) Choosing panel types for specific data patterns, (3) Structuring visual hierarchy and layout, (4) Applying color and thresholds to communicate status, (5) Reviewing dashboard appearance via Playwright screenshots, (6) Iterating on readability and density Triggers: "dashboard design", "visual design", "layout design", "panel type", "color scheme", "screenshot review", "iterate dashboard", "dashboard looks", "visual feedback", "refine dashboard", "dashboard hierarchy", "information density"

2026-05-1924

architecture-review

ionfury/homelab

Architecture evaluation criteria and technology standards for the homelab. Preloaded into the designer agent to ground design decisions in established patterns and principles. Use when: (1) Evaluating a proposed technology addition, (2) Reviewing architecture decisions, (3) Assessing stack fit for a new component, (4) Comparing implementation approaches. Triggers: "architecture review", "evaluate technology", "stack fit", "should we use", "technology comparison", "design review", "architecture decision"

2026-04-0824

deploy-app

ionfury/homelab

End-to-end application deployment orchestration for the Kubernetes homelab. Covers research, worktree setup, Flux ResourceSet configuration, dev cluster testing, monitoring integration, and PR creation. Use when: (1) Deploying a new application to the cluster, (2) Adding a new Helm release to the platform, (3) Setting up monitoring, alerting, and health checks for a new service, (4) Testing deployment on dev cluster before GitOps promotion. Triggers: "deploy app", "add new application", "deploy to kubernetes", "install helm chart", "/deploy-app", "set up new service", "add monitoring for", "deploy with monitoring"

2026-03-3024

secrets

ionfury/homelab

Secret management patterns for the Kubernetes homelab platform. Covers secret-generator, ExternalSecret, app-secrets Terragrunt module, and cross-namespace replication via kubernetes-replicator. Use when: (1) Adding secrets for a new application, (2) Deciding between secret-generator and ExternalSecret, (3) Configuring cross-namespace secret replication, (4) Creating persistent secrets via the app-secrets Terragrunt module, (5) Debugging secret sync failures. Triggers: "secret", "ExternalSecret", "secret-generator", "aws ssm", "parameter store", "kubernetes-replicator", "replicate secret", "app-secrets", "persistent secret", "cross-namespace secret", "secret not syncing", "ClusterSecretStore"

2026-03-3024

cnpg-database

ionfury/homelab

CloudNative-PG (CNPG) PostgreSQL database management for the Kubernetes homelab. Covers shared platform cluster, dedicated per-app clusters, credential provisioning, cross-namespace replication via kubernetes-replicator, and monitoring. Use when: (1) Adding a new database for an application, (2) Creating a dedicated CNPG cluster, (3) Setting up database credentials and cross-namespace replication, (4) Debugging database connectivity or CNPG cluster health, (5) Adding PostgreSQL extensions for specialized workloads. Triggers: "database", "postgresql", "postgres", "cnpg", "cloudnative-pg", "pooler", "pgbouncer", "database credentials", "db password", "managed roles", "Database CRD", "database cluster", "shared database", "dedicated database", "cnpg cluster"

2026-03-2324

gateway-routing

ionfury/homelab

Gateway API routing, TLS certificates, and WAF configuration for the homelab Kubernetes platform. Use when: (1) Exposing a service via HTTPRoute, (2) Choosing between internal and external gateways, (3) Debugging TLS or routing issues, (4) Understanding or tuning WAF (Coraza) behavior. Triggers: "httproute", "gateway", "expose service", "add route", "certificate", "tls", "coraza", "waf", "internal gateway", "external gateway", "dns", "ingress", "routing", "cert-manager", "letsencrypt", "homelab-ca"

2026-03-2324

name	security-testing
description	Adversarial security testing methodology for the Kubernetes homelab. Covers network policy evasion, authentication bypass, privilege escalation, credential theft, and supply chain attacks. Use when: (1) Red team testing against the homelab, (2) Validating network policy enforcement, (3) Testing WAF bypass on external gateway, (4) Probing authentication layers, (5) Assessing container escape paths, (6) Auditing RBAC and service accounts, (7) Testing supply chain security of OCI promotion pipeline. Triggers: "security test", "red team", "pentest", "penetration test", "attack surface", "WAF bypass", "network policy evasion", "privilege escalation", "lateral movement", "credential theft", "container escape", "RBAC audit", "security audit", "vulnerability"
user-invocable	false

Security Testing Methodology

AUTHORIZED SCOPE: Dev cluster only. Integration and live clusters are read-only per CLAUDE.md.

All bash commands are in references/test-commands.md.

Cleanup

Run after every test session:

kubectl --context dev delete pod sectest fake-prom -n <ns> --ignore-not-found
kubectl --context dev delete httproute sectest-route-injection -n <ns> --ignore-not-found
kubectl --context dev label namespace <ns> network-policy.homelab/enforcement- 2>/dev/null
kubectl --context dev get pods -A | grep sectest

Finding Severity Guide

See references/attack-surface.md for the severity classification table (Critical/High/Medium/Low/Informational).

Cross-References

references/attack-surface.md — Known weaknesses inventory (NET, GW, AUTH, AUTHZ, CTR, CRED, SC layers)
references/test-commands.md — All bash commands organized by phase
network-policy SKILL — Cilium policy architecture
gateway-routing SKILL — Gateway API, TLS, WAF configuration
k8s SKILL — Cluster access patterns