mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-07 18:58:54 +00:00
64 lines
3 KiB
Markdown
64 lines
3 KiB
Markdown
# Pentesting Kubernetes
|
|
|
|
## Kubernetes Basics
|
|
|
|
If you don't know anything about Kubernetes this is a **good start**. Read it to learn about the **architecture, components and basic actions** in Kubernetes:
|
|
|
|
{% content-ref url="kubernetes-basics.md" %}
|
|
[kubernetes-basics.md](kubernetes-basics.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Pentesting Kubernetes
|
|
|
|
### From the Outside
|
|
|
|
There are several possible **Kubernetes services that you could find exposed** on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there.
|
|
|
|
Depending on the configuration and your privileges you might be able to abuse that environment, for more information:
|
|
|
|
{% content-ref url="pentesting-kubernetes-from-the-outside.md" %}
|
|
[pentesting-kubernetes-from-the-outside.md](pentesting-kubernetes-from-the-outside.md)
|
|
{% endcontent-ref %}
|
|
|
|
### Enumeration inside a Pod
|
|
|
|
If you manage to **compromise a Pod** read the following page to learn how to enumerate and try to **escalate privileges/escape**:
|
|
|
|
{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
|
|
[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
|
|
{% endcontent-ref %}
|
|
|
|
### Enumerating Kubernetes with Credentials
|
|
|
|
You might have managed to compromise **user credentials, a user token or some service account toke**n. You can use it to talk to the Kubernetes API service and try to **enumerate it to learn more** about it:
|
|
|
|
{% content-ref url="enumeration-from-a-pod.md" %}
|
|
[enumeration-from-a-pod.md](enumeration-from-a-pod.md)
|
|
{% endcontent-ref %}
|
|
|
|
Another important details about enumeration and Kubernetes permissions abuse is the **Kubernetes Role-Based Access Control (RBAC)**. If you want to abuse permissions, you first should read about it here:
|
|
|
|
{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
|
|
[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
|
|
{% endcontent-ref %}
|
|
|
|
#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with:
|
|
|
|
{% content-ref url="hardening-roles-clusterroles.md" %}
|
|
[hardening-roles-clusterroles.md](hardening-roles-clusterroles.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Labs to practice and learn
|
|
|
|
* [https://securekubernetes.com/](https://securekubernetes.com)
|
|
* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
|
|
|
|
## Hardening Kubernetes
|
|
|
|
The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
|
|
You can choose to:
|
|
|
|
* run kube-bench from inside a container (sharing PID namespace with the host)
|
|
* run a container that installs kube-bench on the host, and then run kube-bench directly on the host
|
|
* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
|
|
* compile it from source.
|