Process
Inventory¶
- [GKE] gcloud info
$ gcloud container clusters list $ gcloud container clusters describe applications
- Get inventory: get namespaces, describe cluster and nodes
$ kubectl cluster-info $ kubectl get config view $ kubectl get secrets -o yaml $ kubectl get all
Review Docker¶
- Check containers running as privileged user
$ kubectl get pods $kubectl exec -it <name> -- /bin/bash # id
- Review images for vulnerabilities (
trivy
)
Review Kubernetes¶
- Check if Internet exposed
$ kubectl cluster-info $ curl https://x.x.x.x --insecure
- Checks whether Kubernetes is deployed according to CIS (
kubebench
)$ kubebench-master $ kubebench-node
- Hunt for security weaknesses in Kubernetes clusters (
starboard
,kubehunter
,kubeaudit
,mkit
) - Try insecure port
$ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--insecureport=0").string'
- Try anonymous auth
$ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ") $ curl $APISERVER/pods --insecure
- Try to auth to the API server
$ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ") $ TOKEN=$(kubectl describe secret $(kubectl get secrets \ | grep ^default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d " ") $ curl $APISERVER/api --H "Authorization: Bearer $TOKEN" --insecure
- Try to get to secrets
$ kubectl get pods $ kubectl exec -it <name> -- /bin/bash # cat /var/run/secrets/kubernetes.io/serviceaccount/token
- Try to get secrets (with curl)
$ curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
- Impersonate a privileged account
$ curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN of impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
- Compromised container (see page: Compromised Container)
- Create over-privileged service account (see page: Create Over-Privileged Service Accounts)
- Review RBAC
- Review theory
- Secure Deployment Guidelines
- Authn/Authz
- Network Policies
- Kubelet (see page: Kubelet Exploit)
- Manual testing (
kubectl
) - Review integration with cloud providers (metadata,
kubeletmein
)