Process
Inventory¶
- [GKE] gcloud info
$ gcloud container clusters list $ gcloud container clusters describe applications - Get inventory: get namespaces, describe cluster and nodes
$ kubectl cluster-info $ kubectl get config view $ kubectl get secrets -o yaml $ kubectl get all
Review Docker¶
- Check containers running as privileged user
$ kubectl get pods $kubectl exec -it <name> -- /bin/bash # id - Review images for vulnerabilities (
trivy)
Review Kubernetes¶
- Check if Internet exposed
$ kubectl cluster-info $ curl https://x.x.x.x --insecure - Checks whether Kubernetes is deployed according to CIS (
kubebench)$ kubebench-master $ kubebench-node - Hunt for security weaknesses in Kubernetes clusters (
starboard,kubehunter,kubeaudit,mkit) - Try insecure port
$ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--insecureport=0").string' - Try anonymous auth
$ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ") $ curl $APISERVER/pods --insecure - Try to auth to the API server
$ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ") $ TOKEN=$(kubectl describe secret $(kubectl get secrets \ | grep ^default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d " ") $ curl $APISERVER/api --H "Authorization: Bearer $TOKEN" --insecure - Try to get to secrets
$ kubectl get pods $ kubectl exec -it <name> -- /bin/bash # cat /var/run/secrets/kubernetes.io/serviceaccount/token - Try to get secrets (with curl)
$ curl -v -H "Authorization: Bearer <jwt_token>" Â https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/ - Impersonate a privileged account
$ curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN of impersonator)>"Â -H "Impersonate-Group: system:masters" -H "Impersonate-User: null"Â -H "Accept: application/json" Â https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/ - Compromised container (see page: Compromised Container)
- Create over-privileged service account (see page: Create Over-Privileged Service Accounts)
- Review RBAC
- Review theory
- Secure Deployment Guidelines
- Authn/Authz
- Network Policies
- Kubelet (see page: Kubelet Exploit)
- Manual testing (
kubectl) - Review integration with cloud providers (metadata,
kubeletmein)