Skip to content


Hello and welcome to the ControlPlane Capture the Flag (CTF) event at KubeCon/CloudNativeCon EU 2023.

We're here to learn the best security practices. There are a number of ways of learning:

  • Talks throughout the day presented by individuals leading the way
  • Meeting and collaborating with your peers at the event

Our Capture the Flag event is here to bring a third option to the learning experience, by doing!


⚔️ Attack ⚔️

We have Kubernetes clusters spun up with vulnerabilities ready for you to enumerate, exploit and learn from. You will follow the trail of destruction, left in the wake of the nefarious D̸r̷e̶͈̾̏ả̷̖̤d ̵͇̰͌͆Pir̸̢͝a̵̫̠̔te ᶜᵃᵖᵗᵃⁱⁿ Hλ$ħ𝔍Ⱥ¢k, hoping to clean up his mess and restore order and control to the vulnerable and broken clusters he has ravaged.

🚨 Warning 🚨

We're going to be performing some activities that can be considered a crime if done without prior authorization. You have our permission to attack the Kubernetes cluster assigned to you for the duration of the event. Please double check any tooling that you use to ensure it is configured correctly, within the scope of the above statement. We are available to discuss this matter further if you require more clarification.

The lessons learned from these exercises are to help educate, please don't look to hurt people or get yourself in trouble.

Only perform security assessments against your own systems or with written permission from the owners!

For more information in regards to using KubeSim again, please message the Taskmaster.

💻 Setup 💻

To get started, DM the Taskmaster (CTF Taskmaster (from ControlPlane)🚩) on the CNCF Slack Security Days Channel. The Taskmaster will provide you with SSH credentials to access the cluster. Please follow the guide in our Setup page for further information.

🚩 The Objective 🚩

You have a limited time to find the flag! The Taskmaster can then confirm that you have the flag and will congratulate you with emojis. You then have the opportunity to share how this could be prevented, effectively what the Blue Team, with honourable mentions to recommendations at the presentation at the end of the day.

Flags are hidden away but clearly defined with the flag_ctf{} prefix e.g. flag_ctf{NeverGonnaGive}. A flag could be anything from a variable to a file. The flags would be deemed high value for an attacker, whether this would be linked to credentials to data to exhilarate, that's enough clues for now!

🆘 Assistance 🆘

This is your opportunity to learn, if you feel out of your depth you're in the right place. We have assistants from ControlPlane ready to help you out, but their first tip is:


The second is:

Take a break ☕

You have at least two hours per scenario to attempt to capture the flags! If you require a pointer in the right direction, then you can reveal hints through our CTFd scoreboard for a small point deduction. Technical problems/assistance can be sought from our Taskmaster.