Everyone can contribute! Let's learn together in a weekly cafe ☕
We love to break things, make mistakes, debug, analyse, fix problems together. Live and unfiltered on Youtube.
Community members and thought leaders regularly join and share their projects and ideas.
"Everyone Can Contribute" is inspired by GitLab's mission.
19. cafe: Break into Kubernetes Security
We are learning how to deploy and secure Kubernetes into Hetzner cloud in this series:
In this session, we change the perspective and try to break into a Kubernetes cluster with Philip Welz.
- Scenario: view access to namespace
everyonecancontribute& edit access to namespace
- First, we check the permissions in the namespace with
kubectl auth can-i --list
- Inspect all namespaces and pods to fetch as much information as possible
kubectl get pods -o yaml |grep secret -A5 -B5
- Then create a new pod with privileged mode and execute a bash session into it
- Mount the host filesystem, download kubectl from the internet and use kubelet.conf as our
- Gather as much as possible information about the Cluster ( Nodes, IPs, etc. )
- Generate an SSH key, move it to the mounted host filesystem and access the host as root
- Use container runtime CLI
crictlto retrieve passwords
- Authenticate against the Kubernetes API and fetch the remaining tokens/passwords.
- Created again a pod with privileged mode but this time scheduled it with nodeName to one control plane node
- Mount the host filesystem again and use the admin.conf as our
KUBECONFIGto gain full cluster admin rights
- Target etcd to read the secrets in plaintext.
- Defend tactics
Next week, we’ll look into more security topics and more:
- OpenID Connection of the API Server with Dex and GitLab, continued.
- Hetzner storage volumes
- Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)
- Kubernetes group repos
- Repository with all commands from the session
- Twitter thread
- KubeCon 2019 CTF
- Attacking Kubernetes through Kubelet
- BadPods examples & explanations
- deploy a pod that gives us full host access
- kubectl node shell
Enjoy the session! 🦊