cdk-team/cdk

CDK is a security testing toolkit for container environments, specifically Docker, Kubernetes, and containerd. The README includes a legal disclaimer that it is intended for authorized security testing only and that using it against targets without permission is illegal. It was presented at Black Hat, a major security research conference. The tool is distributed as a single compiled binary with no dependencies on the operating system it runs in. This design is intentional: containerized environments often run stripped-down base images that lack common Unix tools, so CDK brings its own versions of utilities like netcat, ifconfig, and a text editor. You download the binary and drop it into the container you are testing. CDK has three main modes. The evaluate mode scans the container environment and reports on potential weaknesses: what Linux capabilities the process has, what file system mounts are accessible, whether Kubernetes service account credentials are present, whether cloud provider metadata endpoints are reachable, and similar indicators that a real attacker would look for. After running evaluate, it recommends specific exploits to try. The exploit mode provides proof-of-concept implementations of known container escape techniques, covering vulnerabilities in Docker's runtime (CVE-2019-5736), in containerd (CVE-2020-15257), in the cgroup subsystem, and in misconfigured setups where the Docker socket is accessible from inside the container. It also includes techniques for moving laterally within a Kubernetes cluster once a container is compromised. The tool module adds networking utilities: a port scanner, a way to make API calls to the Kubernetes API server, a client for querying etcd (the Kubernetes configuration database), and support for creating TCP tunnels. These fill the gap when the target container does not have the usual network diagnostic tools installed.