A Kubernetes offensive security framework for orchestrating penetration testing, red teaming operations, and large-scale reproducible security scans both inside and outside your cluster
Overview • Installation • Features • Quick Start • Todo • Contributing
Kentra provides a declarative way to define and execute security operations as native Kubernetes resources. Instead of manually managing security testing tools and scripts, you define your security tests as YAML manifests and let Kentra's Kubernetes Operator handle orchestration, scheduling, logging, and resource management.
To explore all Kentra features, please spin up the project and have fun :)
Kentra URL: https://demo.kentrasecurity.sh
This is a view-only demo.
Kentra can be deployed with the dashboard to aggregate command outputs and easily run commands
Kentra's global helm chart is available. Refer to the values.yaml for configuration options.
helm install kentra-platform \
oci://ghcr.io/kentrasecurity/helm/kentra-platform \
--version 0.4.0 \
--namespace kentra-system \
--create-namespace \
-f values.yamlTo uninstall it
helm uninstall kentra-platform -n kentra-systemThis will use Kustomize to install Kentra via kustomization.yaml. The default namespace is kentra-system
kubectl apply -k config/defaultTo uninstall it
kubectl delete -k config/default# Check if the manager pod is running
kubectl get pods -n kentra-system
# Check CRDs are installed
kubectl get crds | grep kentra.sh
# View controller logs
kubectl logs -n kentra-system deployment/kentra-controller-manager -fSee QUICKSTART.md for examples and configurations
Kentra uses the ConfigMap tool-specs.yaml to define tool specifications. When modified, apply it again with
kubectl apply -f config/default/kentra-tool-specs.yamlTo specify a new tool, use the following fields
| Field | Type | Description | Example |
|---|---|---|---|
type |
string | The operation type the tool performs, used for greppable purposes | "enumeration", "exploitation", "scanning" |
category |
string | The category or domain of the tool, used for logic separation | "network", "web", "vulnerability" |
image |
string | Docker image URI for the tool container | "instrumentisto/nmap:latest" |
commandTemplate |
string | Command execution template with placeholders | "nmap {{.Args}} -p {{.Target.port}} {{.Target.endpoint}}" |
endpointSeparator |
string (Optional) | Delimiter for multiple endpoints/targets (if supported by the tool) | " " (space), "," (comma) |
portSeparator |
string (Optional) | Delimiter for multiple ports (if supported by the tool) | "," |
capabilities |
object (Optional) | Linux capabilities required for the container | See all capabilities example |
For centralized logging with Fluent Bit and Loki view LOGGING.md
To see the full architecture, view ARCHITECTURE.md
To see development and compilation process view the development documentation
Caution
You are required to secure clear, written permission from the system owner before using Kentra on any target. Kentra Security and its contributors disclaim all responsibility for any harm, damages, losses, or legal repercussions arising from the use of this project. This includes, but is not limited to, unauthorized access, data breaches, system disruption, or criminal charges. By using this tool, you acknowledge that you are solely accountable for your actions and any resulting consequences..
Kentra can be extended to use your custom tools. Follow EXTEND_KENTRA.md for additional information.
Contributions are welcome! If you want to add your tools or modify the project follow this guideline:
- Fork the project and make your changes
- Follow the existing code style and patterns
- Include appropriate tests
- Update documentation as needed
- Pass all existing tests and linters
- Open a Pull Request
- Merged :)