Last week I was thrown into pentesting an app that was using Kubernetes in the background.

While kubernetes is by itself a monster of complexity and I didn't have 3 months to just to study it, I thought:

What would be most important things to look for even if one doesn't know kubernetes at all?

With this questions in mind, I compiled a list of commands, tools and checks that can lead to great finding without having to spend hours studying kubernetes beforehand.

Tools

kubectl + kubescape

• Use kubectl to interact with the kubernetes cluster and run checks and commands

• Use kubescape to scan to misconfiguration

Authentication

To run commands on the kubernetes cluster you'll likely need a way to authenticate. One such way is a kubeconfig.yaml file which contains details about your user & key + cluster address among other things:

kubectl --kubeconfig .\kubeconfig.yaml cluster-info
kubescape scan --kubeconfig .\kubeconfig.yaml 

Scanning

To run an extensive list of audit checks, you can use kubescape - it will come back with alot of alerts and High risk findings. It is a good start, but:

• many of the findings are false positive -> need to be checked manually

• the severity is exaggerated -> read the scan referenced link to understand the findings

Things to look for

1. Secrets in Logs

First we get a list of all the pods in the cluster, then for each pod -> read its logs and parse it for secrets:

## Get all pods
kubectl --kubeconfig .\kubeconfig.yaml get pods -A

## Get Logs of the pod
kubectl logs -n <namespace> <pod> 

2. Outdates & CVEs

Software and libraries are installed on the Pods. If this software is outdated -> we can look for CVEs and exploits to attack them:

## Get all nodes 
kubectl --kubeconfig .\kubeconfig.yaml get nodes -o wide

## Get node details
kubectl --kubeconfig .\kubeconfig.yaml describe node <node>
kubectl --kubeconfig .\kubeconfig.yaml get pod <pod> -o jsonpath='{.spec.containers[*].image}'

3. Check our Permissions

If you got access to a kubeconfig file -> check what permissions it has. Several permissions are known to be "dangerous" and can be use to perform more attacks

## Can your account created Pods?
kubectl --kubeconfig .\kubeconfig.yaml auth can-i create pods -A

## Can your account create cluster role bindings?
kubectl --kubeconfig .\kubeconfig.yaml auth can-i create clusterrolebindings

## Can your account impersonate other users?
kubectl --kubeconfig .\kubeconfig.yaml auth can-i impersonate users

4. Hardcoded Secrets

A great place to look for secrets/passwords/keys is inside the Jobs and Deployments. For that you use kubescape to scan for this attack path, and then for each result confirm it manually with kubectl:

## Find jobs where secrets are leaked
kubescape scan --kubeconfig .\kubeconfig.yaml control C-0012 -v

## For each kubescape result -> confirm manually
kubectl --kubeconfig .\kubeconfig.yaml get job <name> -n <namespace> -o yaml
kubectl --kubeconfig .\kubeconfig.yaml get deployment <name> -n <namespace> -o yaml

5. Privileged Containers

Privileged containers can execute high privileged commands on the host OS. If we find such a container and we can compromise it -> jackpot:

## Get all privileged containers
kubescape scan --kubeconfig .\kubeconfig.yaml control C-0057

Ignore containers related to the following technologies (they are required to run with privileged mode and are properly hardened):

• Ceph

• rook

• calico

• cilium

• csi

• gpu

• sr-iov

Resources

• https://github.com/kubescape/kubescape

• https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/

• https://kubenomicon.com/Kubenomicon.html