From a11c23be81c701a8b5ca86f117ddb04c1bfdbb8f Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 29 Mar 2021 16:19:04 +0000 Subject: [PATCH] GitBook: [master] 2 pages modified --- SUMMARY.md | 1 + pentesting/pentesting-kubernetes.md | 45 +++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 pentesting/pentesting-kubernetes.md diff --git a/SUMMARY.md b/SUMMARY.md index f099bb651..4fdddea89 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -169,6 +169,7 @@ * [Print Job Retention](pentesting/pentesting-printers/print-job-retention.md) * [Scanner and Fax](pentesting/pentesting-printers/scanner-and-fax.md) * [Pentesting SAP](pentesting/pentesting-sap.md) +* [Pentesting Kubernetes](pentesting/pentesting-kubernetes.md) * [7/tcp/udp - Pentesting Echo](pentesting/7-tcp-udp-pentesting-echo.md) * [21 - Pentesting FTP](pentesting/pentesting-ftp/README.md) * [FTP Bounce attack - Scan](pentesting/pentesting-ftp/ftp-bounce-attack.md) diff --git a/pentesting/pentesting-kubernetes.md b/pentesting/pentesting-kubernetes.md new file mode 100644 index 000000000..e9fa7b34c --- /dev/null +++ b/pentesting/pentesting-kubernetes.md @@ -0,0 +1,45 @@ +# Pentesting Kubernetes + +## Kubernetes Security Tips + +### PART 1 - ARCHITECTURE + +#### What does Kubernetes do? + +* Allows to run container/s in a container engine. +* Schedule allows containers mission efficient. +* Keep containers alive. +* Allows container communications. +* Allows deployment techniques. +* Handle volumes of information. + +#### Architecture: + +![https://i.postimg.cc/YS786tRP/Screenshot-68.jpg](https://i.postimg.cc/YS786tRP/Screenshot-68.jpg) + +* Node: operating system with pod or pods. – Pod: Wrapper around a container or multiple containers and it contains an app. – Kubelet: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods \(through api server\).The kubelet doesn’t manage containers which were not created by Kubernetes. – Kube-proxy: is the service in charge of the communications \(services\) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors. – Sidecar container: Sidecar containers are the containers that should run along with the main container in the pod. This sidecar pattern extends and enhances the functionality of current containers without changing it. Nowadays, We know that we use container technology to wrap all the dependencies for the application to run anywhere. A container does only one thing and does that thing very well. +* Kubectl: Kubernetes’s CLI, allows you to manage and deploy containers. You can inspect the cluster’s resources. Communications with API server +* Scheduler: Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run them Watches for newly Pods that have no Node assigned. This component assign pods with nodes +* etcd: Data storage, persistent, consistent and distributed. Is Kubernetes’s database and the key value storage where it keeps the complete state of the clusters. +* Kube Controller manager: check several resources, for example the replica sets or the deployments in order to check if for example we have the correct number of pods or nodes running. It controls replication, tokens and account services to the API. +* Cloud controller manager: Is the specific controller for flow controls and applications, i.e: if you have clusters in aws or openstack. + +#### How pods communicate with each other. + +\[![https://i.postimg.cc/13wJV8G6/Screenshot-67.jpg](https://i.postimg.cc/13wJV8G6/Screenshot-67.jpg) + +#### PKI infrastructure - Certificate Authority CA: + +\[![https://i.postimg.cc/rp9jg7Yw/Screenshot-66.jpg](https://i.postimg.cc/rp9jg7Yw/Screenshot-66.jpg) + +* CA is the trusted root for all certificates inside the cluster +* Allows components to validate to each other. +* All cluster certificates are signed by the CA +* ETCd has its own certificate. +* types: –apiserver cert –kubelet cert –scheduler cert + +### \(COMING SOON\) + +PART 2 - VULNERABILITIES +PART 3 - HARDENING +