1 of 33

Red Teaming Kubernetes

From App-Level CVEs to Full Cluster Takeover

1

Lenin Alevski

2 of 33

About Me

Lenin Alevski 🇲🇽
Security Engineer @ Google 🇺🇸
Open Source Contributor
Corporate & Startup world
I’m obsessed with cybersecurity ❤️

3 of 33

Agenda

Introduction to Kubernetes
Kubernetes Threat Model
Most common attack techniques in K8S
Hands-On / CTF style challenges

4 of 33

What Is Kubernetes Anyways?

5 of 33

6 of 33

Kubernetes Application

7 of 33

Kubernetes Components

Control Plane Components

kube-apiserver
etcd
kube-scheduler
kube-controller

Node Components

kube-proxy
kubelet
container runtime

Jumping down a further layer of abstraction and we have the components, divided into two sections: control plane components (one per cluster) and node components (one per node)

Kube-apiserver: The Kubernetes API server is the control interface. It validates and configures data for the api objects, including pods, services, replicationcontrollers, etc. The API Server exposes REST operations and provides the frontend to the cluster's shared state through which all other components interact.
Etcd: data storage containing configmaps, secrets, states, etc
Kube-scheduler: Responsible for scheduling newly created pods to the best available nodes in the cluster. It keeps the application workload evenly distributed among nodes depending on resource needs.
Kube-controller: Ensures that the current state of running pods matches the desired state of deployments/statefulset/replica-set/etc.
Kube-proxy: Proxies traffic between services and nodes.
Kubelet: The primary "node agent", communicates with the API server and manages the node.
Container runtime: Software that is responsible for running containers (Docker).

https://www.educba.com/kubernetes-control-plane/

8 of 33

Kubernetes Threat Model: If An Attacker Controls ...

Control plane nodes: Attacker controls your cluster. They can modify, access and destroy everything

Pod / Container: Attacker controls application and may be able to escape and attack the node

Kubelet: Attacker controls running pods

Worker nodes: Attacker controls running pods. They can attack master nodes

9 of 33

OWASP Kubernetes Risks Top (2022)

K01: Insecure Workload Configurations
K02: Supply Chain Vulnerabilities
K03: Overly Permissive RBAC Configurations
K04: Lack of Centralized Policy Enforcement
K05: Inadequate Logging and Monitoring
K06: Broken Authentication Mechanisms
K07: Missing Network Segmentation Controls
K08: Secrets Management Failures
K09: Misconfigured Cluster Components
K10: Outdated and Vulnerable Kubernetes Components

10 of 33

Kubernetes Most Common Attack Techniques

11 of 33

Threat Matrix For Kubernetes (2022)

12 of 33

Initial Access

Using cloud credentials
Compromised images and registry
Kubeconfig file
Application Vulnerability
Exposed sensitive interfaces

13 of 33

Kubeconfig File - Hunting For .kube/config Files

14 of 33

Application Vulnerabilities

OWASP Top 10
SQLi
RCE
Command injection
Etc

A01:2021	Broken Access Control
A02:2021	Cryptographic Failures
A03:2021	Injection
A04:2021	Insecure Design
A05:2021	Security Misconfiguration
A06:2021	Vulnerable and Outdated Components
A07:2021	Identification and Authentication Failures
A08:2021	Software and Data Integrity Failures
A09:2021	Security Logging and Monitoring Failures
A10:2021	Server-Side Request Forgery

15 of 33

Application Vulnerabilities

16 of 33

Execution

Application exploit (RCE)
Exec into container
New container
Sidecar Injection

17 of 33

Exec Into The Container

18 of 33

Credential Access

List Kubernetes secrets
Mount Service Principal
Access container service account
Applications credentials in �configuration files
Access managed identity credential
Malicious admission controller

The credential access tactic consists of techniques that are used by attackers to steal credentials.

In kubernetes environments, this includes:

Kubernetes secrets – objects that store sensitive information
Service Principal credentials – cloud credentials. Attackers can sometimes leverage their access to a container to obtain these credentials. In AKS, for example, each node contains a service principal credential, so access to a node means access to this credential.
Container service account credentials: Service Accounts represent applications in Kubernetes. By default, an SA is mounted to every created pod in the cluster.
Applications credentials: Developers sometimes store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. This makes them very easy to steal, please don’t do this!
managed identity credentials – cloud credentials. Applications can obtain the token for a managed identity by accessing the Instance Metadata Service (IMDS). Attackers with access to a pod can query the IMDS to obtain a managed identity token and access cloud resources.
Malicious admission controller: In addition to maintaining persistence, the admission controller can be used to read sensitive information in API calls.

19 of 33

Access managed identity credential

20 of 33

Discovery

Access the Kubernetes API server
Access Kubelet API
Network mapping
Access Kubernetes dashboard
Instance Metadata API

The discovery tactic consists of techniques that are used by attackers to explore the environment to which they gained access. This exploration helps the attackers to perform lateral movement and gain access to additional resources.

Access the Kubernetes API server: The Kubernetes API server is the gateway to the cluster. Attackers can send requests to the API server to probe the cluster and get information about pods, containers, secrets, and other resources.
Access Kubelet API: the Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host can send API requests to the Kubelet API and retrieve information about running pods and the node itself.
Network mapping: By default, there is no restriction on pod communication in Kubernetes. Attackers can freely map the cluster network to get information on the running applications.
Access Kubernetes dashboard: If an attacker steals service account credentials, they can use the Kubernetes dashboard (a Web-based UI) to perform actions in the cluster.
Instance Metadata API: Cloud providers provide an instance metadata service for retrieving information about a virtual machine. Attackers who gain access to a container can query this service and obtain information about the underlying node the container is running on.

21 of 33

Kubernetes Service

22 of 33

Lateral Movement

Access cloud resources
Container service account
Cluster internal networking
Applications credentials in �configuration files
Writable volume mounts on the host
CoreDNS poisoning

The lateral movement tactic consists of techniques that are used by attackers to move through the victim’s environment. This includes gaining access to various resources in the cluster, gaining access to the underlying node from a container, or gaining access to the cloud environment itself.

Access cloud resources: Attackers may move from a compromised container to the cloud environment.
Container service account: Attackers who gain access to a container in the cluster may use the mounted service account token for sending requests to the API server, and gaining access to additional resources in the cluster.
Cluster internal networking: Kubernetes networking behavior allows traffic between pods in the cluster as a default behavior. Attackers who gain access to a single container may use it for network reachability to another container in the cluster.
Applications credentials in configuration files: Developers store secrets in the Kubernetes configuration files, for example, as environment variables in the pod configuration. Using those credentials attackers may gain access to additional resources inside and outside the cluster. (See “6: Application credentials in configuration files” for more details.)
Writable volume mounts on the host: Attackers may attempt to gain access to the underlying host from a compromised container.
CoreDNS poisoning: CoreDNS is the main DNS service used in Kubernetes. The configuration file (coorefile) is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services.

23 of 33

Lateral Movement and Credential Theft in Kubernetes

24 of 33

Privilege Escalation

HostPath mount
Access cloud resources
Privileged container
Cluster-admin binding

The privilege escalation tactic consists of techniques that are used by attackers to get higher privileges in the environment than those they currently have. In containerized environments, this can include getting access to the node from a container, gaining higher privileges in the cluster, and even getting access to the cloud resources

HostPath mount: hostPath mount can be used by attackers to get access to the underlying host and thus break from the container to the host.
Access cloud resources: depending on the cloud provider different services might be available from inside the cluster
Privileged container: Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod’s service account, for example), can get access to the host’s resources.
Cluster-admin binding: RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes

25 of 33

Privileged Container

26 of 33

A Container That Doesn't Contain Anything

27 of 33

Cluster-Admin Binding

28 of 33

Hands-on 🙌💻🏴‍☠️

29 of 33

30 of 33

sequenceDiagram

participant Attacker

participant IngressController as ingress-nginx-controller

Attacker->>IngressController: Step 1: Send HTTP request with malicious reverse_shell.so module

note right of IngressController: Body written to disk via client body buffers when >8KB

Note over Attacker,IngressController: Malicious module staged on disk (e.g. /proc/$PID/fd/$FD)

Attacker->>IngressController: Step 2: Send requests with ssl_engine directive

loop Brute-force PID/FD path

Attacker->>IngressController: Try config: ssl_engine /proc/$PID/fd/$FD

end

Note over IngressController: Loads and executes malicious module

IngressController-->>Attacker: Reverse Shell

Note over IngressController: Command execution achieved inside the pod

Attacker-->>IngressController: cat /var/run/secrets/kubernetes.io/serviceaccount/token

IngressController-->>Attacker: eyJhbGci...

31 of 33

Ingress-nightmare Lab

https://github.com/Alevsk/dvka/tree/master/workshop/labs/ingress-nightmare

32 of 33

Escenario:

33 of 33

Thanks

@alevsk

https://github.com/alevsk

https://www.linkedin.com/in/alevsk/

https://www.alevsk.com