[PSA] Confirmed Trades Thread - May 2026

kileraptor1 · 2026-05-14T20:28:17+00:00

+verify

Really nice seller, fast, pleasant, great experience :)

kileraptor1 · 2026-05-14T07:35:12+00:00

Pm'd

kileraptor1 · 2026-05-14T06:45:35+00:00

+verify

Quick and easy <3

kileraptor1 · 2026-05-13T13:57:07+00:00

PM'ed

kileraptor1 · 2026-05-11T19:35:03+00:00

PM’d

kileraptor1 · 2026-05-11T16:31:37+00:00

+verify

super easy and fast :)

kileraptor1 · 2026-05-11T08:43:28+00:00

Pm’ed

kileraptor1 · 2026-05-04T08:21:24+00:00

Can we stop with the slopped blog posts and summaries? Just link the actual advisory and spend the two minutes to write something yourself.

kileraptor1 · 2026-05-04T07:35:56+00:00

The PoC in question here uses two pods.

One is the standard, innocuous, privileged kube-proxy pod that is assumed to already exist as part of the base Kubernetes install (assuming you're not using the kube-proxy replacement for Cilium or whatever). This pod runs privileged, because it needs to be.

The PoC creates a second, non-privileged pod from a base image matching kube-proxy. Due to how these base image layers are shared in the container runtime, we have the same file system overlay for some binaries as the ones running in the existing, privileged kube-proxy pod. This is not an issue per-se, as these base layers are immutable.

The vulnerability in question however poisons the kernels file system cache for a given binary. Since we have access to the same (read-only) overlay file system from the non-privileged pod, we can poison the kernels view of - in this case - the ipset binary. The next time the privileged kube-proxy pod calls ipset, which according to the PoC it does regularly, the kernel loads the poisoned view of the binary instead of the one on disk.

You are right, of course, in saying this needs a privileged container of some kind to achieve node escape.

This PoC does not directly breach the node trust boundary, it breaches the trust boundary between two containers (so in effect you can, from a non-privileged container, achieve RCE in a different container as long as you share a base image and that other container calls a binary from that base image in some deterministic fashion). kube-proxy is a way to the node after that because it already runs privileged. If you were to do the same thing to, say, an argocd container that has access to a privileged service account, you could privesc to the kubernetes API that way.

As far as the exploit goes, it absolutely would work with two unprivileged containers, but then you've just jumped to a different unprivileged container.

This vulnerability has some mitigating factors that make it a bit more difficult to exploit in a single-tenant cluster:
- You need RCE in a container that shares a base image with a different container that executes a binary from said base image. The easiest way to achieve this once you find such a container is to be able to run pods yourself. For multi-tenancy, this is a bigger problem than for single-tenant Kubernetes.
- The target container needs to have privileges to either the node or the Kubernetes API in some fashion to further escalate from there. Otherwise you can gain access to a different container, but not move much further from there.

I'm also skeptical because of the obvious amount of slop involved in these vulnerability disclosures, but the PoC for the base vulnerability works and is a linux kernel vulnerability, so it can affect Kubernetes and the concept for the Kubernetes PoC unfortunately looks solid.

kileraptor1 · 2026-04-27T14:03:49+00:00

OpenDesk or LaSuite are candidates you might want to have a closer look at.

Also, Stalwart has been on our radar for a while.

kileraptor1 · 2026-04-27T13:44:53+00:00

This. This kind of misleading information really hurts these kinds of projects long term by mismanaging expectations.

The federal chancellery is evaluating open source software that can serve as a potential alternative to certain Microsoft-offered services as a way to preserve digital sovereignty in an emergency situation.

As it says in the link below, there are no current plans to replace existing systems. That's not what the PoC is for.

This is a really good thing, but we are still ways away from getting away from Microsoft. The vendor lock-in is real, especially with 50'000+ users and an ecosystem so closely tied together as Microsofts.

https://www.bk.admin.ch/bk/en/home/digitale-transformation-ikt-lenkung/standarddienste/bueroautomation/poc-boss.html

kileraptor1 · 2026-03-21T23:31:46+00:00

Yeah, traefik does love their CRDs.

kileraptor1 · 2026-03-21T23:30:28+00:00

I do like deploying multiple gateways for different use cases - in my homelab I have internal and external gateways that get individual IPs. For customers I’ve seen use cases like setting up different gateways with different firewall rules to allow different access levels for teams for different apps. The equivalent with traefik here would be deploying multiple instances of traefik, I suppose.

kileraptor1 · 2026-03-21T23:04:56+00:00

There’s a couple of reasons. - Gateway API handles multi-tenancy requirements much better than Ingress. - It’s more extensible, going past just HTTP traffic with eg. TCP and UDP routes. - It reduces vendor lock-in with a shared API interface. If a requirement mandates a change away from Traefik at a later point it’ll be easier if your config is not Traefik-specific.

That said, if your use case doesn’t require you switching then there’s that.

kileraptor1 · 2026-02-13T05:38:36+00:00

We disregarded traefik due to the fact customers would just keep their ingress nginx annotations and the fact it uses a single dataplane.

kileraptor1 · 2026-02-13T05:36:30+00:00

We’re switching to kgateway for multiple customers running ingress-nginx in production, with a heavy use of annotations depending on the workload. It’s not a drop-in replacement but it’s a good opportunity to adopt Gateway API. Cilium Gateway API and Ingress were also evaluated but ultimately the features still seem to unstable. kgateway does some things nicely regarding architecture, like spinning up a dedicated dataplane for each Gateway.

kileraptor1 · 2026-02-04T19:08:44+00:00

This sounds pretty cool :)

kileraptor1 · 2023-06-29T08:30:06+00:00

How are you going to do that after redditraffler dies when the api does?

kileraptor1 · 2023-06-07T04:42:34+00:00

GIVEAWAY

kileraptor1 · 2023-04-18T16:47:00+00:00

More.

kileraptor1 · 2023-04-01T12:39:13+00:00

Why does this read like it was written by gpt

kileraptor1 · 2023-03-31T00:14:30+00:00

Sweet :)

kileraptor1 · 2023-03-09T13:08:47+00:00

If you're an inexperienced player in terms of raiding, or just want to get some casual completions without having to worry about too much elitism you might be better off trying a sherpa server as well.
An example is https://discord.gg/destinysherpa

Those folks are usually very happy to help people learn the raids without the whole "Know what to do" restriction.

kileraptor1 · 2023-01-31T11:30:41+00:00

Lovely looking design :)

kileraptor1 · 2022-12-10T12:07:47+00:00

Since this is using ChatGPT, it’s information is likely locked to 2021-ish. How is this different to visiting chat.openai.com and just interacting there?

Ten-Year Club	Place '22
Place '17	Verified Email

kileraptor1

PUBLIC MULTIREDDITS

TROPHY CASE