Everyone is welcome, everyone can contribute, everyone is unique and these are your strengths too!

19. cafe: Break into Kubernetes Security


We are learning how to deploy and secure Kubernetes into Hetzner cloud in this series:

In this session, we change the perspective and try to break into a Kubernetes cluster with Philip Welz.

  • Scenario: view access to namespace everyonecancontribute & edit access to namespace philips-workspace
  • First, we check the permissions in the namespace with kubectl auth can-i --list
  • Inspect all namespaces and pods to fetch as much information as possible kubectl get pods -o yaml |grep secret -A5 -B5
  • Then create a new pod with privileged mode and execute a bash session into it
  • Mount the host filesystem, download kubectl from the internet and use kubelet.conf as our KUBECONFIG
  • Gather as much as possible information about the Cluster ( Nodes, IPs, etc. )
  • Generate an SSH key, move it to the mounted host filesystem and access the host as root
  • Use container runtime CLI crictl to retrieve passwords
  • Authenticate against the Kubernetes API and fetch the remaining tokens/passwords.
  • Created again a pod with privileged mode but this time scheduled it with nodeName to one control plane node
  • Mount the host filesystem again and use the admin.conf as our KUBECONFIG to gain full cluster admin rights
  • Target etcd to read the secrets in plaintext.
  • Defend tactics

Next week, we’ll look into more security topics and more:

  • OpenID Connection of the API Server with Dex and GitLab, continued.
  • Hetzner storage volumes
  • Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)



Enjoy the session! 🦊

Date published: March 3, 2021

Tags: Gitlab, Hetzner, Cloud, Terraform, Ansible, Kubernetes,