hacktricks/pentesting/pentesting-kubernetes/README.md

# Pentesting Kubernetes

## Kubernetes Basics

If you don't know anything about Kubernetes this is a **good start**. Read it to learn about the **architecture, components and basic actions** in Kubernetes:

{% content-ref url="kubernetes-basics.md" %}
[kubernetes-basics.md](kubernetes-basics.md)
{% endcontent-ref %}

## Pentesting Kubernetes

### From the Outside

There are several possible **Kubernetes services that you could find exposed** on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there.

Depending on the configuration and your privileges you might be able to abuse that environment, for more information:

{% content-ref url="pentesting-kubernetes-from-the-outside.md" %}
[pentesting-kubernetes-from-the-outside.md](pentesting-kubernetes-from-the-outside.md)
{% endcontent-ref %}

### Enumeration inside a Pod

If you manage to **compromise a Pod** read the following page to learn how to enumerate and try to **escalate privileges/escape**:

{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}

### Enumerating Kubernetes with Credentials

You might have managed to compromise **user credentials, a user token or some service account toke**n. You can use it to talk to the Kubernetes API service and try to **enumerate it to learn more** about it:

{% content-ref url="enumeration-from-a-pod.md" %}
[enumeration-from-a-pod.md](enumeration-from-a-pod.md)
{% endcontent-ref %}

Another important details about enumeration and Kubernetes permissions abuse is the **Kubernetes Role-Based Access Control (RBAC)**. If you want to abuse permissions, you first should read about it here:

{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
{% endcontent-ref %}

#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with:

{% content-ref url="hardening-roles-clusterroles.md" %}
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
{% endcontent-ref %}

## Labs to practice and learn

* [https://securekubernetes.com/](https://securekubernetes.com)
* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)

## Hardening Kubernetes

The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
You can choose to:

* run kube-bench from inside a container (sharing PID namespace with the host)
* run a container that installs kube-bench on the host, and then run kube-bench directly on the host
* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
* compile it from source.
GitBook: [master] 2 pages modified 2021-03-29 16:19:04 +00:00			`# Pentesting Kubernetes`

GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`## Kubernetes Basics`
GitBook: [master] 2 pages modified 2021-03-29 16:19:04 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`If you don't know anything about Kubernetes this is a good start. Read it to learn about the architecture, components and basic actions in Kubernetes:`
GitBook: [master] 449 pages modified 2021-04-24 11:40:49 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`{% content-ref url="kubernetes-basics.md" %}`
			`[kubernetes-basics.md](kubernetes-basics.md)`
			`{% endcontent-ref %}`
GitBook: [master] one page and 2 assets modified 2021-04-26 14:49:13 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`## Pentesting Kubernetes`
GitBook: [master] one page and 2 assets modified 2021-04-26 14:49:13 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`### From the Outside`
GitBook: [master] one page and 2 assets modified 2021-04-26 14:49:13 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`There are several possible Kubernetes services that you could find exposed on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there.`
GitBook: [master] one page and 2 assets modified 2021-04-26 14:49:13 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`Depending on the configuration and your privileges you might be able to abuse that environment, for more information:`
GitBook: [master] 2 pages modified 2021-04-28 13:49:35 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% content-ref url="pentesting-kubernetes-from-the-outside.md" %}`
			`[pentesting-kubernetes-from-the-outside.md](pentesting-kubernetes-from-the-outside.md)`
			`{% endcontent-ref %}`
GitBook: [master] 5 pages modified 2021-04-28 16:27:24 +00:00
GitBook: [master] 5 pages modified 2021-04-27 23:18:16 +00:00			`### Enumeration inside a Pod`

GitBook: [master] 454 pages modified 2021-04-28 23:33:12 +00:00			`If you manage to compromise a Pod read the following page to learn how to enumerate and try to escalate privileges/escape:`

GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}`
			`[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% endcontent-ref %}`
GitBook: [master] 5 pages modified 2021-04-27 23:18:16 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`### Enumerating Kubernetes with Credentials`
GitBook: [master] 449 pages modified 2021-04-24 11:40:49 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`You might have managed to compromise user credentials, a user token or some service account token. You can use it to talk to the Kubernetes API service and try to enumerate it to learn more about it:`
GitBook: [master] 449 pages modified 2021-04-24 11:40:49 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`{% content-ref url="enumeration-from-a-pod.md" %}`
			`[enumeration-from-a-pod.md](enumeration-from-a-pod.md)`
			`{% endcontent-ref %}`
GitBook: [master] 449 pages modified 2021-04-24 11:40:49 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`Another important details about enumeration and Kubernetes permissions abuse is the Kubernetes Role-Based Access Control (RBAC). If you want to abuse permissions, you first should read about it here:`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}`
			`[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)`
			`{% endcontent-ref %}`
GitBook: [master] 451 pages modified 2021-04-27 09:44:49 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with:`
GitBook: [master] 451 pages modified 2021-04-27 09:44:49 +00:00
GitBook: [#2907] No subject 2021-12-22 15:22:43 +00:00			`{% content-ref url="hardening-roles-clusterroles.md" %}`
			`[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)`
			`{% endcontent-ref %}`
GitBook: [master] 451 pages modified 2021-04-27 09:44:49 +00:00
GitBook: [#2911] No subject 2021-12-23 12:20:46 +00:00			`## Labs to practice and learn`

			`* [https://securekubernetes.com/](https://securekubernetes.com)`
			`* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)`
GitBook: [#2924] No subject 2021-12-29 01:10:37 +00:00
			`## Hardening Kubernetes`

			`The tool [kube-bench](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).\`
			`You can choose to:`

			`* run kube-bench from inside a container (sharing PID namespace with the host)`
			`* run a container that installs kube-bench on the host, and then run kube-bench directly on the host`
			`* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),`
			`* compile it from source.`