Everyone can contribute! Learn DevOps and Cloud Native in our cafe ☕

Technology is moving fast in the DevOps and Cloud Native community.

Join the conversation and add your thoughts, tips, experiences, stories.

"Everyone Can Contribute" is inspired by GitLab's mission.

19. cafe: Break into Kubernetes Security


We are learning how to deploy and secure Kubernetes into Hetzner cloud in this series:

In this session, we change the perspective and try to break into a Kubernetes cluster with Philip Welz.

  • Scenario: view access to namespace everyonecancontribute & edit access to namespace philips-workspace
  • First, we check the permissions in the namespace with kubectl auth can-i --list
  • Inspect all namespaces and pods to fetch as much information as possible kubectl get pods -o yaml |grep secret -A5 -B5
  • Then create a new pod with privileged mode and execute a bash session into it
  • Mount the host filesystem, download kubectl from the internet and use kubelet.conf as our KUBECONFIG
  • Gather as much as possible information about the Cluster ( Nodes, IPs, etc. )
  • Generate an SSH key, move it to the mounted host filesystem and access the host as root
  • Use container runtime CLI crictl to retrieve passwords
  • Authenticate against the Kubernetes API and fetch the remaining tokens/passwords.
  • Created again a pod with privileged mode but this time scheduled it with nodeName to one control plane node
  • Mount the host filesystem again and use the admin.conf as our KUBECONFIG to gain full cluster admin rights
  • Target etcd to read the secrets in plaintext.
  • Defend tactics

Next week, we’ll look into more security topics and more:

  • OpenID Connection of the API Server with Dex and GitLab, continued.
  • Hetzner storage volumes
  • Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)



Enjoy the session! 🦊

Date published: March 3, 2021

Tags: Gitlab, Hetzner, Cloud, Terraform, Ansible, Kubernetes,