isaiasvela/caldera_k8s_abilities

# Caldera K8s Abilities A Kubernetes-focused MITRE Caldera ability pack for realistic container and cluster attack simulation, designed to validate Falco runtime detection coverage using default Falco rules. This repository was developed as part of a Bachelor's Thesis that evaluates Falco as a runtime security detection mechanism in cloud-native environments. ## What this project provides - Kubernetes-specific Caldera abilities for adversary emulation - Attack simulation scenarios that run inside containers and cluster workloads - Validation guidance for Falco default rule detection coverage - Reusable content for security research, detection engineering, and purple team testing ## Key goals - Extend Caldera with Kubernetes-oriented attack techniques - Simulate realistic container and Kubernetes threat activity - Test Falco runtime alerts against those techniques - Identify detection gaps and possible improvements - Share reusable cloud-native attack emulation assets with the community ## Technologies used - Kubernetes - MITRE Caldera - Falco - Docker / Containers - Linux - MITRE ATT&CK - Bash / Python ## Repository layout caldera_k8s_abilities ├── app/ │ ├── parsers/ │ └── requirements/ ├── data/ │ └── abilities/ │ ├── credential-access/ │ └── discovery/ ├── hook.py └── README.md ## Available Kubernetes abilities | Ability | Description | ATT&CK Technique | | ------------------------------------- | ------------------------------------------------------- | ---------------- | | K8s - Detect environment | Detect if running inside a Kubernetes pod | T1613 | | K8s - Obtain token | Obtain Kubernetes token from service account | T1613 | | K8s - Access API server | Access Kubernetes API server | T1613 | | K8s - Enumerate environment information | Enumerate environment information from a pod | T1613 | | K8s - Probe internal services | Attempt HTTP requests against discovered Kubernetes services | T1046 | | K8s - Internal port scan | Scan common ports on discovered services | T1046 | | K8s - Probe Kubernetes DNS service | Attempt connection to CoreDNS service | T1046 | ## Usage ## Installation 1. Clone this repository into `caldera/plugins/`: git clone https://github.com/isaiasvela/caldera_k8s_abilities caldera/plugins/caldera_k8s_abilities 2. Open `caldera/conf/default.yml` and add `caldera_k8s_abilities` to the `plugins` section. plugins: - caldera_k8s_abilities ## Integration notes - The abilities in `data/abilities/` are grouped by technique category. - `credential-access/` contains simulated Kubernetes credential abuse scenarios. - `discovery/` contains environment and container enumeration capabilities. - `hook.py` and the `app/` helper modules support Caldera ability parsing and execution. ## Research focus This project emphasizes runtime detection validation rather than offensive exploitation. It is meant to help: - Security engineers - DevSecOps teams - Detection engineers - Cloud security practitioners - Students and researchers understand Kubernetes runtime threats and assess Falco default rule behavior. ## Disclaimer - For educational use only. - For defensive security research and detection engineering. - Only use against systems you own or have explicit permission to test. ## Author **Isaías Vela** Cloud • DevSecOps • Security Engineering