Offensive Kubernetes: Pentesting from the Internet

Offensive Kubernetes: Pentesting from the Internet

Strategies and Techniques for Identifying and Mitigating External Threats to Your Kubernetes Cluster

Introduction:

Over the past few months, I have been reading, researching, and studying Kubernetes and Docker. These technologies are pivotal in modern DevOps practices, providing scalable and resilient environments for deploying applications. In this blog, I will guide you through the basics of Docker and Kubernetes, explain the key components of Kubernetes, and demonstrate how to pentest Kubernetes clusters from the internet.

What is Docker and Kubernetes?

Docker

Docker is an open-source platform that enables developers to automate the deployment of applications inside lightweight, portable containers. Containers package an application with all its dependencies, ensuring consistency across different environments.

Key Concepts

  • Image: A lightweight, standalone, and executable software package that includes everything needed to run a piece of software.

  • Container: A runtime instance of an image.

  • Dockerfile: A script containing a series of instructions on how to build a Docker image.

Kubernetes

Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform designed to automate containerized applications' deployment, scaling, and management.

Key Concepts

  • Cluster: A set of nodes (machines) running containerized applications.

  • Node: A single machine in a Kubernetes cluster.

  • Pod: The smallest deployable unit in Kubernetes, which can contain one or more containers.

  • Service: An abstraction that defines a logical set of Pods and a policy by which to access them.

Kubernetes Components:

  • API Server: The front-end for the Kubernetes control plane. It handles RESTful requests and updates the state of the cluster.

  • etcd: A consistent and highly-available key-value store used for all cluster data.

  • Kubelet: An agent that runs on each node in the cluster, ensuring that containers are running in a Pod.

  • Container Runtime: The software responsible for running the containers, such as Docker.

  • Controller Manager: Manages various controllers that regulate the state of the cluster.

  • Scheduler: Assigns workloads to nodes based on resource availability.

Common Vulnerabilities and Misconfigurations:

  1. Open Ports

Open ports can expose critical components of Kubernetes to the internet, making them vulnerable to attacks. We can find these open ports using tools like Censys, Shodan, and FOFA.

  • etcd (2379, 2380)

  • Kubernetes API Server (443)

  • NodePort services (30000-32767)

  • Kubernetes Dashboard (8080, 8443)

  • Kubernetes Controller Manager (10252)

  • Kubernetes Scheduler (10251)

  1. Exposed Kubernetes API Server

An exposed API Server can be a significant vulnerability. Attackers can exploit various endpoints to gather information or control the cluster. You can the paths in your wordlist so you can automate it using dirsearch, gobuster, and similar tools that you use for directory brute force.

  • /api/v1 (Kubernetes API endpoint)

  • /api/v1/nodes (Node list)

  • /api/v1/namespaces (Namespace list)

  • /api/v1/pods (Pod list)

  • /api/v1/services (Service list)

  • /api/v1/deployments (Deployment list)

  • /api/v1/replicasets (ReplicaSet list)

  • /api/v1/replicationcontrollers (ReplicationController list)

  1. Kubernetes Dashboard

The Kubernetes Dashboard, if exposed, can provide a web-based user interface to manage the cluster.

  • /dashboard (Kubernetes Dashboard login page)

  • /dashboard/#/login (Kubernetes Dashboard login page)

  • /dashboard/#/overview (Kubernetes Dashboard overview page)

Below is the Prometheus Kubernetes monitoring page where you can check the health information and configuration of clusters.

  1. Other Endpoints

Other endpoints that should not be exposed include:

  • /metrics (Metrics endpoint)

  • /logs (Logs endpoint)

  • /healthz (Health check endpoint)

  • /readyz (Readiness check endpoint)

  • /livez (Liveness check endpoint)

  1. Kubelet Exploit

Steps:

  • Find node IPs.

  • Check for running pods using /runningpods or /api/v1/pods endpoints.

  • Gather pod name, namespace, and container info.

Executing Commands:

  • /run → Run command inside the container.

  • /exec → Run command inside the container using a stream.

  • /cri → Run command inside the container after a stream was opened by /exec.

Example:

curl -ks -X POST https://<node_ip>:10250/run/<namespace>/<pod>/<container> -d "cmd=ls /"
  1. Redis Exploit (Port 6379)

If the cluster has port 6379 open, it might be running Redis. Attackers can use redis-cli to connect and dump keys.

Example:

redis-cli -h <node_ip> -p 6379
#To check keys
keys *
#To dump keys
set "key_name"

Remediation Strategies:

  1. Restrict Access and Network Segmentation:

    • Use firewalls and network policies to restrict access to Kubernetes ports.

    • Isolate sensitive components in different network segments.

  2. Enable Strong Authentication and Authorization:

    • Implement RBAC (Role-Based Access Control) for strict access controls.

    • Use strong authentication mechanisms for the API Server and Kubernetes Dashboard.

  3. Disable Unnecessary Endpoints:

    • Turn off endpoints like /metrics, /logs, /healthz, /readyz, and /livez if not needed externally.

    • Require authentication for accessing critical endpoints.

  4. Secure Kubelet and Redis:

    • Restrict access to the Kubelet API and Redis instances using network policies.

    • Enable client certificate authentication for Kubelet and strong passwords for Redis.

Conclusion:

Pentesting Kubernetes from the internet involves identifying exposed components, exploiting misconfigurations, and understanding the underlying architecture. By following the outlined steps and examples, security researchers can uncover vulnerabilities and help secure Kubernetes environments.