Download as PDF, PPTX
![for d in */; do
echo "POD UID -> $d"
echo "POD INFO -> $(tail -n 1 $d/etc-
hosts)"
token_file=$(find "$d" -type f -name
"token" | head -n 1)
if [ -f "$token_file" ]; then
cat "$token_file"
else
echo "No token file found in $d"
fi
echo
done
3. Exploit K8S
3.2 Exploit Scenario Type 1
Operating System
Pod
Container
Pod
Pod
Container
Container
Pod
Container
Worker Node
? ?
?
1. Worker Node take over
2. Obtain Pod Token in
Worker node
3. API Call Using the Pod
token
4. Find Misconfiguration RBAC
/var/lib/kubelet/pods Shell Script
containers, etc-hosts, plugins,
volumes(token)
POD UID -> 9f61b8e5-~~~~ad3f/
POD INFO -> 10.233.119.32
xxxx-xxxx-xxxxxx-8497dd4457-
t7db2
POD Token -> eyJhbGciOiJSUzI1N
~](https://image.slidesharecdn.com/cloudvillagedefcon32exploitk8sviamisconfiguration-241117182444-70187dc9/75/Exploit-K8S-via-Misconfiguration-YAML-in-CSP-environments-35-2048.jpg)
![Extension Misconfiguration Type the scope of CNCF projects
Scope
[RBAC]
• Kind : Daemonset, Deployment SA
[Security Policy]
• HostPID
• securityContext
• : allowPrivilegeEscalation
• : capabilities
• : privileged
INCUBATING
SANDBOX
Role
Cluster Role
Role
3. Exploit K8S
3.7 Our Research Target
Resource
node Patch
secret Get/List](https://image.slidesharecdn.com/cloudvillagedefcon32exploitk8sviamisconfiguration-241117182444-70187dc9/75/Exploit-K8S-via-Misconfiguration-YAML-in-CSP-environments-49-2048.jpg)
![for d in */; do
echo "POD UID -> $d"
echo "POD INFO -> $(tail -n 1 $d/etc-
hosts)"
token_file=$(find "$d" -type f -name
"token" | head -n 1)
if [ -f "$token_file" ]; then
cat "$token_file"
else
echo "No token file found in $d"
fi
echo
done
3. Exploit K8S
3.2 Exploit Scenario Type 1
Operating System
Pod
Container
Pod
Pod
Container
Container
Pod
Container
Worker Node
? ?
?
1. Worker Node take over
2. Obtain Pod Token in
Worker node
3. API Call Using the Pod
token
4. Find Misconfiguration RBAC
/var/lib/kubelet/pods Shell Script
containers, etc-hosts, plugins,
volumes(token)
POD UID -> 9f61b8e5-~~~~ad3f/
POD INFO -> 10.233.119.32
xxxx-xxxx-xxxxxx-8497dd4457-
t7db2
POD Token -> eyJhbGciOiJSUzI1N
~](https://crownmelresort.com/image.slidesharecdn.com/cloudvillagedefcon32exploitk8sviamisconfiguration-241117182444-70187dc9/75/Exploit-K8S-via-Misconfiguration-YAML-in-CSP-environments-35-2048.jpg)
![Extension Misconfiguration Type the scope of CNCF projects
Scope
[RBAC]
• Kind : Daemonset, Deployment SA
[Security Policy]
• HostPID
• securityContext
• : allowPrivilegeEscalation
• : capabilities
• : privileged
INCUBATING
SANDBOX
Role
Cluster Role
Role
3. Exploit K8S
3.7 Our Research Target
Resource
node Patch
secret Get/List](https://crownmelresort.com/image.slidesharecdn.com/cloudvillagedefcon32exploitk8sviamisconfiguration-241117182444-70187dc9/75/Exploit-K8S-via-Misconfiguration-YAML-in-CSP-environments-49-2048.jpg)
Uploaded byCloud Village
Exploit K8S via Misconfiguration .YAML in CSP environments
The document provides a comprehensive overview of Kubernetes (k8s) risks, particularly focusing on misconfigurations and potential exploits. It details various architecture components, user control flows, and the implications of RBAC misconfigurations leading to security vulnerabilities. Specific exploit scenarios involving privilege escalation and credential access are also outlined, emphasizing the importance of secure k8s deployments.
More Related Content
Similar to Exploit K8S via Misconfiguration .YAML in CSP environments
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
Exploit K8S via Misconfiguration .YAML in CSP environments
- 1. Exploit K8S viaMisconfiguration YAML Focus on CNCF Project & CSP Yeonhui-Softvill No. 214 2024. 8. 9 #DEFCON32 #CloudVillage
- 2. Wooseok.Kim Goorm | SRE :wooseook@gmail.com : https://fb.com/se0g1 #BOB9th #SKKU #Goorm Changhyun.Park HYPERCONNECT | Security Compliance Manager : tkffkty456@gmail.com : https://fb.com/changhyun.park.3781 #BOB4th #Hacktagon #YSU #SKKU #EY #HPCNT #MG Introduction
- 3. About K8S RiskK8S Exploit K8S Security K8S Summary
- 4.
- 5. 1. About K8S 1.1Container Deployment
- 6. 1. About K8S 1.2K8S Node Hardware Operating System Container Runtime Container Container Container App Bin/Library App Bin/Library App Bin/Library Hardware Operating System Containerd Pod Container Pod Container Component Container K8S Node Structure Container Deployment Structure
- 7. 1. About K8S 1.3K8S Worker Node K8S Node Structure Worker Node Structure (Service Runtime) Hardware Operating System Containerd Pod Container Pod Container Component Container Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy
- 8. Hardware Operating System Containerd Static Pods 1.About K8S 1.4 K8S Master Node Master Node Structure (Control Plane) Cluster Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Kube API Server Kube Scheduler Kube Controller manager etcd HTTPS HTTPS
- 9. 1. About K8S 1.5K8S User Control Flow - 1 Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node K8S Admin API Server URL:Port CA, API Token Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd K8S User 1
- 10. 1. About K8S 1.6K8S User Control Flow - 2 Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node K8S Admin Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd K8S User 2 Kubectl apply –f XXXX.yaml Can K8S Object Control (kubectl --help) H T T P S
- 11. 1. About K8S 1.7.Yaml File Deep-Dive 🕹 JSON type manifest file for control objects in K8s 🏗 Strategies for Deploying Pod in Node (Daemonset, Deployment, job) 🎡 Define network controls for Pod in Node (Service) 🛠 Environment Variable setting (configmap) 🏘 RBAC Setting (Role-Based Access Control) 🛡 Security Policy Setting
- 12. Require Field apiVersion :K8S API Version Kind : POD, Service, ReplicaSet, Deployment Metadata : name … Spec(specification) 1. About K8S 1.8 .Yaml File Field (Key-Value)
- 13. 1. About K8S 1.9K8S User Control Flow - 3 Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node K8S Admin Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd K8S User H T T P S J W T T o k e n How to Connection Kubectl to API Server? 3
- 14. 1. About K8S 1.10Kubectl to API Server Using the SA Token - Binding Cluster Role(or Role) - Resource, Verbs Control Kube API Server 1. $HOME/.kube/config - Kube API Server URL:Port - K8S CA(certificate Authority) 2. - Kubectl apply –f xxxx.yaml
- 15. 1. About K8S 1.11K8S User Control Flow - 4 Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Pod Container Container Worker Node K8S Admin Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd K8S User 4 Pod Control
- 16.
- 17. 2. Risk K8S 2.1What Kind of Risk K8S? - 1 Pod Container 1. Pod take over
- 18. 2. Risk K8S 2.1What Kind of Risk K8S? - 2 Pod Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Cluster Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Kube API Server Kube Scheduler Kube Controller manager etcd HTTPS HTTPS 2. Privilege escalation & Escape
- 19. 2. Risk K8S 2.1What Kind of Risk K8S? - 3 Pod Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd 3. Obtaining Secrets DB Credential API Key TLS CA SSH Key 🔐
- 20. 2. Risk K8S 2.2Exploit node to cluster - 1 Pod Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy How to easy exploit node to cluster after Pod take over? Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Cluster Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Kube API Server Kube Scheduler Kube Controller manager etcd HTTPS HTTPS ? ? ? 🔐
- 21. 2. Risk K8S 2.2Exploit node to cluster - 2 Pod Container 0 & 1 Day Exploit (RCE, Remote File Read) + Security Policy Misconfiguration RBAC Setting Misconfiguration Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Cluster Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Kube API Server Kube Scheduler Kube Controller manager etcd HTTPS HTTPS 🔐
- 22. • HostPID • securityContext :allowPrivilegeEscalation : capabilities : privileged • etc 2. Risk K8S 2.3 K8S Security Policy Pod Container Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy K8S Security Policy 0 & 1 Day Exploit (RCE, Remote File Read) + Misconfiguration Security Policy …
- 23. Get the Deploynodes process information Access to other process and root file system 2. Risk K8S 2.4 hostPID • hostPID : false (default) • hostPID : true Read Pod Process Read Pod & Worker Node Process Access to ‘Worker Node’ process Hardware Operating System Process (Worker Node) Containerd Pod (hostPID: false ps aux) Container Pod (hostPID: true ps aux) Container ❌ Read Node Process ID ⭕ Read Node Process ID Pod can read ‘Worker Node’ process
- 24. 2. Risk K8S 2.5Security Context : allowPrivilegeEscalation No Escalation Permission Root Permission SetUID Can’t Escalation Pod Container User Root SetGID … bin SetUID ❌
- 25. 2. Risk K8S 2.5Security Context : allowPrivilegeEscalation Escalation Permission Pod Container User Root SetGID … bin SetUID ⭕ Can Escalation Permission Root Permission SetUID
- 26. 2. Risk K8S 2.6Security Context : capabilities Linux divides kernel permission Hardware Worker Node Operating System Kernel Containerd Pod (privileged : true) Container Pod (privileged : false) Container sys_admin net_admin mac_admin syslog • Current Capabilities Check & Type Pod can control kernel permission (ex, net_admin) • No Set capabilities • Set capabilities add “NET_ADMIN” ‘Worker Node’ NIC Control
- 27. 2. Risk K8S 2.7Security Context : privileged Hardware Operating System Process (Worker Node) Containerd Pod (privileged : true) Container Pod (privileged : false) Container Share the “Worker Node” Kernel Pod can control “Worker Node” kernel & Resource • privileged : false • privileged : true Access the Pod Resource Access the “Worker Node” Resource
- 28. 2. Risk K8S 2.8K8S RBAC Setting Misconfiguration RBAC Setting Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Kube API Server Kube Scheduler Kube Controller manager etcd Hardware Operating System Containerd Static Pods Master Node structure (Control Plane) Cluster Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Worker Node Hardware Operating System Containerd Pod Container Pod Container Component Container Kubelet Kube Proxy Kube API Server Kube Scheduler Kube Controller manager etcd HTTPS HTTPS • Create Service Account • Create Role Resource, Verb • Binding Role to Service Account K8S RBAC Setting
- 29. K8S Admin Pod Container Pod Container … SA(ServiceAccount) Create Token Role Create Cluster Role (All Namespace) Role (specific Namespace) Resource & verbs Role Binding to SA Cluster Role Binding Role Binding SA allocation in Pod Daemonset (All Pod) Deployment (without no target Specific Pod) … 2 1 3 4 2. Risk K8S 2.9 SA Role binding pattern
- 30. 2. Risk K8S 2.10Misconfiguration Role pattern 1. Just watch nodes, pods, watch 2. At least Resources, verbs Good Role Pattern case 1. nodes patch : Patch to worker nodes 2. Secrets get & list : Access to secrets key Bad Role Pattern case
- 31.
- 32. 3. Exploit K8S 3.1Exploit Scenario Exploit Scenario Type 1 A Worker Node Daemonset Service Account Secret Get/List DB Account API Key TLS CA SSH Key Credential Based Attack Scenario After Pod RCE, take over Worker Node Exploit Scenario Type 2 A Worker Node Daemonset Service Account Node Patch Other Worker Node Deployment Service Account Secret Get/List
- 33. 3. Exploit K8S 3.2Exploit Scenario Type 1 Exploit Scenario Type 1 A Worker Node Daemonset Service Account Secret Get/List DB Account API Key TLS CA SSH Key Credential Based Attack Scenario After Pod RCE, take over Worker Node
- 34. 3. Exploit K8S 3.2Exploit Scenario Type 1 1. Worker Node take over 2. Obtain Pod Token in Worker node 3. API Call Using the Pod token 4. Find Misconfiguration RBAC Hardware Operating System Containerd Pod Container Pod Container Pod Container CVE-2022-42889 (hostPID = true, SecurityContext) Reverse shell Worker Node
- 35. for d in*/; do echo "POD UID -> $d" echo "POD INFO -> $(tail -n 1 $d/etc- hosts)" token_file=$(find "$d" -type f -name "token" | head -n 1) if [ -f "$token_file" ]; then cat "$token_file" else echo "No token file found in $d" fi echo done 3. Exploit K8S 3.2 Exploit Scenario Type 1 Operating System Pod Container Pod Pod Container Container Pod Container Worker Node ? ? ? 1. Worker Node take over 2. Obtain Pod Token in Worker node 3. API Call Using the Pod token 4. Find Misconfiguration RBAC /var/lib/kubelet/pods Shell Script containers, etc-hosts, plugins, volumes(token) POD UID -> 9f61b8e5-~~~~ad3f/ POD INFO -> 10.233.119.32 xxxx-xxxx-xxxxxx-8497dd4457- t7db2 POD Token -> eyJhbGciOiJSUzI1N ~
- 36. 3. Exploit K8S 3.2Appendix. Pod token location Pod root@nginx:/var/run/secrets/kubernetes.io/serviceaccount # cat token eyJhbGciOiJSUzI… kubectl get pod nginx -o yaml | grep uid uid: 54c0818d-0a36-4807-8275-fe8d2791aa2c API Server (Master node) root@worker: /var/lib/kubelet/pods/54c0818d-0a36-4807-8275- fe8d2791aa2c/volumes/kubernetes.io~projected/kube-api-access-t6gmp# cat token Worker node uid : 54c0818d-0a36-4807-8275-fe8d2791aa2c eyJhbGciOiJSUzI… eyJhbGciOiJSUzI… = = Same Token
- 37. 3. Exploit K8S 3.2Exploit Scenario Type 1 1. Worker Node take over 2. Obtain Pod Token in Worker node 3. API Call Using the Pod token 4. Find Misconfiguration RBAC API Server info (/etc/kubernetes/kubelet.env) Pod token
- 38. 3. Exploit K8S 3.2Exploit Scenario Type 1 1. Worker Node take over 2. Obtain Pod Token in Worker node 3. API Call Using the Pod token 4. Find Misconfiguration RBAC API Server info (/etc/kubernetes/kubelet.env) REST API Call Pod token GET /api/v1/nodes/ GET /api/v1/secrets GET /api/v1/namespaces GET /api/v1/configmaps … { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "Unauthorized", "reason": "Unauthorized", "code": 401 } curl /api/v1/configmaps : unauthorized { "kind": "configmaps", "apiVersion": "v1", "metadata": { "resourceVersion": “….” }, "items": [ { "metadata": { …..} curl /api/v1/configmaps : authorized
- 39. 3. Exploit K8S 3.2Exploit Scenario Type 1 1. Worker Node take over 2. Obtain Pod Token in Worker node 3. API Call Using the Pod token 4. Find Misconfiguration RBAC Find Permission Get/list secrets Get secret (base64 decoding) A Pod token B Pod token C Pod token ❌ ⭕ ❌
- 40. 3. Exploit K8S 3.3Exploit Scenario Type 2 DB Account API Key TLS CA SSH Key Credential Based Attack Scenario After Pod RCE, take over Worker Node Exploit Scenario Type 2 A Worker Node Daemonset Service Account Node Patch B Worker Node Deployment Service Account Secret Get/List
- 41. 3. Exploit K8S 3.3Exploit Scenario Type 2 DaemonSet Find Permission Patch Nodes A Pod token B Pod token C Pod token ❌ ⭕ ❌ Take Over A Worker Node A Pod token B Pod token C Pod token Non-Take Over B Worker Node ❌ ⭕ ❌ Deployment Find Permission Get/list secrets Master Node 4. Find Misconfiguration RBAC 5. Set taint Worker Node 6.Deployment Pod 7.Obtain Secrets
- 42. 3. Exploit K8S 3.3Exploit Scenario Type 2 Find Permission Patch Nodes A Pod token ⭕ Master Node Operating System Pod Container Pod Container Non-Take Over B Worker Node Operating System Pod Container Pod Container Set taint set “NoSchedule” Other Worker Node ❌ ❌ No Deployment Pod 🛑 🛑 4. Find Misconfiguration RBAC 5. Set taint Worker Node 6.Deployment Pod 7.Obtain Secrets Non-Take Over C Worker Node
- 43. 3. Exploit K8S 3.3Exploit Scenario Type 2 C Pod Deployment Find Permission Get/list secrets Operating System Pod Container Pod Container Take Over A Worker Node Operating System Pod Container Pod Container Non-Take Over B Worker Node Operating System Pod Container Pod Container Non-Take Over C Worker Node 🛑 🛑 Set taint set “NoSchedule” Set taint set “NoSchedule” ⭕ ❌ ❌ Next Deployment Schedule 4. Find Misconfiguration RBAC 5. Set taint Worker Node 6.Deployment Pod 7.Obtain Secrets
- 44. 3. Exploit K8S 3.3Exploit Scenario Type 2 4. Find Misconfiguration RBAC 5. Set taint Worker Node 6.Deployment Pod 7.Obtain Secrets Get secret (base64 decoding) A Pod token B Pod token C Pod token ❌ Find Permission Get/list secrets ⭕ ❌ Take Over A Worker Node
- 45. 3. Exploit K8S 3.4So easy…
- 46. 3. Exploit K8S 3.5Bug Case Study - 1 Misconfiguration Security Policy Report N – Day (ex, CVE-2020-8559) HostPID : True + Container-escape = CVE-2020-26278
- 47. 3. Exploit K8S 3.5Bug Case Study - 2 Misconfiguration RBAC Report (2) Misconfiguration RBAC Report (1)
- 48. 3. Exploit K8S 3.6CNCF Metrics
- 49. Extension Misconfiguration Typethe scope of CNCF projects Scope [RBAC] • Kind : Daemonset, Deployment SA [Security Policy] • HostPID • securityContext • : allowPrivilegeEscalation • : capabilities • : privileged INCUBATING SANDBOX Role Cluster Role Role 3. Exploit K8S 3.7 Our Research Target Resource node Patch secret Get/List
- 50. 3. Exploit K8S 3.8CNCF LANDSCAPE
- 51. 3. Exploit K8S 3.9CNCF Misconfiguration status Restricted
- 52. 3. Exploit K8S 3.10Report History Restricted
- 53.
- 54. Security Framework - KubernetesCIS Benchmark - OWASP Kubernetes Top 10 - Kubernetes Pod Security Standards Some CNCF Project need RBAC & Security Policy - We need to know why 4. Security K8S 4.1 Well Know about the K8S Security
- 55.