. , , , โ .
, . .
โ . , , , . , - , , .
โ Kubernetes DevOps. ยซ ยป , Kubernetes , .
: ?
Kubernetes , . ?
Kubernetes . , , PodSecurityPolicy OPA Gatekeeper. , , .
, , , , , โ . , .
, . . (Rory McCune) (@raesene), (Duffie Cooley) (@mauilion) node-shell krew โ . .
hostNetwork
, hostPID
, hostIPC
, hostPath
privileged
? ? .
:
. , Kubernetes (, Kubernetes RBAC) 8: .
:
1:
2: Privileged hostPid
3: Privileged
4: hostPath
5: hostPid
6: hostNetwork
7: hostIPC
8: .
1:
?
.
?
. control-plane nodeName . exec
chroot
, . root , .
-
etcd
. control-planenodeName
,etcd
, , . - . , . - , , clusterrolebinding, , , .
. README () 4: hostPath.
https://github.com/BishopFox/badPods/tree/main/manifests/everything-allowed
2: privileged hostpid
?
.
?
โ root- . chroot
, nsenter
, root , .
?
Privileged.
privileged: true
, . PID.hostPID
nsenter
, . ,privileged: true
, . โ 3: Privileged.
Privileged +
hostPID
.hostPID: true
privileged: true
, ,init
(PID 1) . shell .
root- , 1: .
https://github.com/BishopFox/badPods/tree/main/manifests/priv-and-hostpid
3: privileged
?
.
?
privileged: true
:
- .
/dev
.mount
. , . , shell. , . - cgroup user mode . root- , . (Felix Wilhelm) undock.sh, , , (Brandon Edwards) (Nick Freeman) . listener root- . โ Metasploit Docker Privileged Container Escape, shell shell .
Kubernetes , 1, .
https://github.com/BishopFox/badPods/tree/main/manifests/priv
4: hostpath
?
.
?
, process- network- , . . , . , (Ian Coldwater) (Duffie Cooley) Black Hat 2019: ยซ : Kubernetes ยป.
, , Kubernetes:
-
kubeconfig
. ,cluster-admin
. - . -
kubectl auth can-i --list
access-matrix , , . , , . .kube-system
clusterrolebinding. - SSH-. SSH- , SSH, .
- .
/etc/shadow
.
https://github.com/BishopFox/badPods/tree/main/manifests/hostpath
5: hostpid
?
. - .
?
hostPID
root- , - .
- .
ps
hostPID: true
, , . - , , . , - , , , , . , Kubernetes - , cluster-admin.
- . , ( ).
https://github.com/BishopFox/badPods/tree/main/manifests/hostpid
6: hostnetwork
?
.
?
hostNetwork: true, , , cluster-admin . :
- . tcpdump . , , .
- , localhost. , loopback - . - .
- . , hostNetwork: true, . , , .
https://github.com/BishopFox/badPods/tree/main/manifests/hostnetwork
7: hostipc
?
, , IPC.
?
- (IPC) ( , , . .), /. /dev/shm
, hostIPC: true
. IPC ipcs
.
- /dev/shm. .
- IPC.
/usr/bin/ipcs
, - IPC.
https://github.com/BishopFox/badPods/tree/main/manifests/hostipc
8:
?
.
?
, , . Kubernetes, :
- . , . IAM, , IAM, . , , .
- .
/var/run/secrets/kubernetes.io/serviceaccount/token
, . - Kubernetes . apiserver kubelet' anonymous-auth
true
, . - , Kubernetes. Kubernetes .
- . , , , , . , .
https://github.com/BishopFox/badPods/tree/main/manifests/nothing-allowed
Kubernetes โ KubeCon NA 2019 CTF
Kubernetes Goat
Kubernetes Kubelet
Kubernetes
CVE-2020-8558 POC
8, , ( ) .
Kubernetes , , ( root, MustRunAsNonRoot=true
allowPrivilegeEscalation=false
). , .
, . , Bad Pods Kubernetes .
: K8s Kubernetes . - 17 19 2021.