Everyone can contribute! Let's learn together in a weekly cafe ☕


We love to break things, make mistakes, debug, analyse, fix problems together. Live and unfiltered on Youtube.

Community members and thought leaders regularly join and share their projects and ideas.

"Everyone Can Contribute" is inspired by GitLab's mission.

19. cafe: Break into Kubernetes Security


Highlights

We are learning how to deploy and secure Kubernetes into Hetzner cloud in this series:

In this session, we change the perspective and try to break into a Kubernetes cluster with Philip Welz.

  • Scenario: view access to namespace everyonecancontribute & edit access to namespace philips-workspace
  • First, we check the permissions in the namespace with kubectl auth can-i --list
  • Inspect all namespaces and pods to fetch as much information as possible kubectl get pods -o yaml |grep secret -A5 -B5
  • Then create a new pod with privileged mode and execute a bash session into it
  • Mount the host filesystem, download kubectl from the internet and use kubelet.conf as our KUBECONFIG
  • Gather as much as possible information about the Cluster ( Nodes, IPs, etc. )
  • Generate an SSH key, move it to the mounted host filesystem and access the host as root
  • Use container runtime CLI crictl to retrieve passwords
  • Authenticate against the Kubernetes API and fetch the remaining tokens/passwords.
  • Created again a pod with privileged mode but this time scheduled it with nodeName to one control plane node
  • Mount the host filesystem again and use the admin.conf as our KUBECONFIG to gain full cluster admin rights
  • Target etcd to read the secrets in plaintext.
  • Defend tactics

Next week, we’ll look into more security topics and more:

  • OpenID Connection of the API Server with Dex and GitLab, continued.
  • Hetzner storage volumes
  • Future ideas touch monitoring with Prometheus, GitLab CI/CD deployments and much more :)

Insights

Recording

Enjoy the session! 🦊


Date published: March 3, 2021

Tags: Gitlab, Hetzner, Cloud, Terraform, Ansible, Kubernetes,