Skip to content

Process

Inventory

  1. [GKE] gcloud info
    $ gcloud container clusters list
    $ gcloud container clusters describe applications
    
  2. Get inventory: get namespaces, describe cluster and nodes
    $ kubectl cluster-info
    $ kubectl get config view
    $ kubectl get secrets -o yaml
    $ kubectl get all
    

Review Docker

  1. Check containers running as privileged user
    $ kubectl get pods
    $kubectl exec -it <name> -- /bin/bash
    # id
    
  2. Review images for vulnerabilities (trivy)

Review Kubernetes

  1. Check if Internet exposed
    $ kubectl cluster-info
    $ curl https://x.x.x.x --insecure
    
  2. Checks whether Kubernetes is deployed according to CIS (kubebench)
    $ kubebench-master
    $ kubebench-node
    
  3. Hunt for security weaknesses in Kubernetes clusters (starboard, kubehunter, kubeaudit, mkit)
  4. Try insecure port
    $ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--insecureport=0").string'
    
  5. Try anonymous auth
    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
    $ curl $APISERVER/pods --insecure
    
  6. Try to auth to the API server
    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
    $ TOKEN=$(kubectl describe secret $(kubectl get secrets        \
        | grep ^default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d " ")
    $ curl $APISERVER/api --H "Authorization: Bearer $TOKEN" --insecure
    
  7. Try to get to secrets
    $ kubectl get pods
    $ kubectl exec -it <name> -- /bin/bash
    # cat /var/run/secrets/kubernetes.io/serviceaccount/token
    
  8. Try to get secrets (with curl)
    $ curl -v -H "Authorization: Bearer <jwt_token>"
        https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
    
  9. Impersonate a privileged account
    $ curl -k -v -XGET
        -H "Authorization: Bearer <JWT TOKEN of impersonator)>" 
        -H "Impersonate-Group: system:masters"
        -H "Impersonate-User: null" 
        -H "Accept: application/json"
        https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
    
  10. Compromised container (see page: Compromised Container)
  11. Create over-privileged service account (see page: Create Over-Privileged Service Accounts)
  12. Review RBAC
  13. Review theory
    • Secure Deployment Guidelines
    • Authn/Authz
    • Network Policies
    • Kubelet (see page: Kubelet Exploit)
  14. Manual testing (kubectl)
  15. Review integration with cloud providers (metadata, kubeletmein)