Agent Skillszhaoxuya520/reverse-skill › competition-k8s-control-plane

competition-k8s-control-plane

GitHub

用于CTF沙箱中分析K8s控制平面,涵盖API权限、RBAC、Admission、控制器行为及工作负载差异。需在沙箱编排器激活后使用,通过追踪信任路径和突变链定位安全漏洞。

CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

检查Kube API权限或ServiceAccount令牌 分析RoleBinding/ClusterRoleBinding关系 排查Admission Webhook或控制器创建的工作负载 调查Secret暴露或工作负载与清单的差异

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-k8s-control-plane -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-k8s-control-plane -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-k8s-control-plane

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-k8s-control-plane -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-k8s-control-plane",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for Kubernetes API analysis, service-account trust, RBAC edges, admission and controller behavior, cluster secrets, workload mutation, and namespace-scoped drift. Use when the user asks to inspect kube API permissions, service-account tokens, RoleBinding or ClusterRoleBinding edges, admission webhooks, controller-created pods, secret exposure, or why live workloads differ from manifests. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition K8s Control Plane

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive path runs through Kubernetes control-plane state, API permissions, or controller behavior rather than a single container's runtime alone.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Separate manifest intent from live cluster state: API objects, mutations, controllers, secrets, and resulting workloads.
  2. Identify the active principal first: service account, kubeconfig identity, node credential, webhook, or controller.
  3. Map the smallest control-plane edge to its workload effect.
  4. Keep RBAC, service accounts, owner references, namespace boundaries, and secret consumers in compact evidence blocks.
  5. Reproduce the smallest cluster action that yields the decisive workload or secret effect.

Workflow

1. Map The API Trust Path

  • Record namespaces, service accounts, Roles, ClusterRoles, bindings, admission hooks, controllers, and the resources they can mutate.
  • Distinguish read access, create access, patch access, exec access, and secret access.
  • Keep principal, verb, resource, namespace, and resulting object in one chain.

2. Trace Mutation To Workload State

  • Show how an API action becomes a pod, volume mount, secret exposure, env injection, job run, or controller-created artifact.
  • Compare checked-in YAML against live objects after defaulting, admission mutation, or controller reconciliation.
  • Distinguish pod-runtime behavior from cluster-level mutation logic.

3. Reduce To The Decisive Cluster Path

  • Compress the result to the smallest chain: principal -> API permission -> mutated object -> resulting workload, secret, or route effect.
  • Keep kube objects, live describes, and consumed secret or config paths tied to the same namespace and controller.
  • If the problem narrows down to one container's mount or runtime deviation, switch back to the tighter container-runtime skill.

Read This Reference

  • Load references/k8s-control-plane.md for the RBAC checklist, controller checklist, and evidence packaging.
  • If the hard part is metadata-service reachability, workload identity, instance credentials, or metadata-derived privilege, prefer $competition-cloud-metadata-path.

What To Preserve

  • Namespace, service account, verb, resource kind, RoleBinding or ClusterRoleBinding, and owner reference chains
  • Admission mutations, generated workloads, mounted secrets, and controller-produced drift
  • The exact API action or object diff that creates the decisive effect

Version History

  • 1bec1f2 Current 2026-07-05 18:45

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
18fa637d
Indexed
2026-07-05 18:45

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 22:23
浙ICP备14020137号-1 $Гость$