Kubernetes (EKS · keensafe-prod)
Read-only browser over the production EKS cluster. Backed by the cluster-admin token; no per-user RBAC layer in front of this console.
Namespaces
default kube-system keensafe-bank keensafe-ai cicd
Pods
| Namespace | Pod | Image | Env (selected) |
|---|---|---|---|
| keensafe-bank | internet-banking-7d4b9c-x8m2k | registry.keensafeglobalbank.com/internet-banking:1.4.0 | DB_HOST=bank-db.internal DB_PASSWORD=Pr0d-Db-LAB-Fake! JWT_SECRET=keensafe-lab-jwt-supersecret-2025 |
| keensafe-bank | public-api-844d57-q3n8h | registry.keensafeglobalbank.com/public-api:1.4.0 | AWS_ACCESS_KEY_ID=AKIAFAKEKEYONLY12345 AWS_SECRET_ACCESS_KEY=FAKEsecret/Lab+OnlyDoNotUseInProductionAA |
| cicd | jenkins-controller-0 | jenkins/jenkins:2.426.3-lts-jdk17 | JENKINS_ADMIN_PASSWORD=Jenkins123! |
Secrets
| Namespace | Name | Type | Data (base64) |
|---|---|---|---|
| keensafe-bank | db-credentials | Opaque | DB_USER=a2VlbnNhZmVfYXBw DB_PASSWORD=UHIwZC1EYi1MQUItRmFrZSE= |
| keensafe-bank | stripe-api-key | Opaque | STRIPE_API_KEY=c2tfbGl2ZV9GQUtFa2VlbnNhZmVMQUJvbmx5X0RPX05PVF9VU0U= |
| cicd | github-deploy-token | Opaque | GITHUB_TOKEN=Z2hwX0ZBS0VrZWVuc2FmZUxBQnRva2VuX0RvTm90VXNlMTIzNDU2Nzg5 |
| kube-system | cluster-admin-token | kubernetes.io/service-account-token | token=ZXlKaGJHY2lPaUpTVXpJMU5pSjkuTEFCLUZBS0UtQ0xVU1RFUi1BRE1JTi1KV1QuTEFCLURPLU5PVC1VU0U= |
Misconfigurations:
- Anonymous read on the entire dashboard — try
/k8s/api/v1/namespaces/keensafe-bank/secrets. - Read-only kubelet API at
/kubelet/pods(port 10255 in real EKS). - Cluster-admin service-account token is reachable at
/k8s/api/v1/namespaces/kube-system/serviceaccounts/cluster-admin/token. - Pod env vars carry DB password, JWT secret and AWS keys instead of being mounted from a Secret.