Kubernetes Security Review Cheat Sheet

Blue Team Hacking 101 Network Attack
by TechnoHerder : 3 Comments

A few commands that will assist during a Kubernetes review, this is not a definitive list:

Kubectl context and configuration

kubectl config view                                  # Show Merged kubeconfig settings.
kubectl config get-contexts                          # display list of contexts
kubectl config current-context                       # display the current-context
kubectl config set-context --current --namespace=namespaceName # set namespace for future kubectl commands (save specifying each command)
kubectl config use-context my-cluster-name           # set the default context to my-cluster-name

Viewing, finding resources

# Get commands with basic output
kubectl version                               #Get client and server version
kubectl get services                          # List all services in the namespace
kubectl get pods --all-namespaces             # List all pods in all namespaces
kubectl get pods -o wide                      # List all pods in the current namespace, with more details
kubectl get nodes
kubectl get deployment my-dep                 # List a particular deployment
kubectl get pods                              # List all pods in the namespace
kubectl get pod my-pod -o yaml                # Get a pod's YAML
kubectl get secret                            # Get sensitive data such as a password, a token, or a key
kubectl get ingress                           # Get ingress controller details
kubectl get endpoints                         # Get IP addresses of pods
kubectl get namespaces                        # Get namespaces
kubectl get events                            # get logs
kubectl get roles --all-namespaces
​​​​​​​kubectl get roles -n <namespace>
kubectl get serviceaccounts --all-namespaces
kubectl get serviceaccounts -n <namespace>
​​​​​​​kubectl get all                               # Get everything

# Describe commands with verbose output
kubectl describe nodes my-node
kubectl describe pods my-pod
kubectl get pods --show-labels                # Show labels for all pods

Interacting with running Pods

kubectl port-forward my-pod 5000:6000               # Listen on port 5000 on the local machine and forward to port 6000 on my-pod
kubectl exec my-pod -- ls /                         # Run command in existing pod (1 container case)
kubectl exec --stdin --tty my-pod -- /bin/sh        # Interactive shell access to a running pod (1 container case)
kubectl exec -it mypod -- bash                      # Interact with pod using bash - may require a namespace to be defined (-n namespaceName)
kubectl exec my-pod -c my-container -- ls /         # Run command in existing pod (multi-container case)

Copy files and directories to and from containers

kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir            # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the current namespace
kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container    # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar       # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar       # Copy /tmp/foo from a remote pod to /tmp/bar locally

Interacting with Deployments and Services

kubectl port-forward svc/my-service 5000                  # listen on local port 5000 and forward to port 5000 on Service backend
kubectl port-forward svc/my-service 5000:my-service-port  # listen on local port 5000 and forward to Service target port with name <my-service-port>
kubectl port-forward deploy/my-deployment 5000:6000       # listen on local port 5000 and forward to port 6000 on a Pod created by <my-deployment>
kubectl exec deploy/my-deployment -- ls                   # run command in first Pod and first container in Deployment (single- or multi-container cases)

Exploring API resources

kubectl api-resources --namespaced=true      # All namespaced resources
kubectl api-resources --namespaced=false     # All non-namespaced resources
kubectl api-resources -o name                # All resources with simple output (only the resource name)
kubectl api-resources -o wide                # All resources with expanded (aka "wide") output
kubectl api-resources --verbs=list,get       # All resources that support the "list" and "get" request verbs
kubectl api-resources --api-group=extensions # All resources in the "extensions" API group

Formatting Output

Security Guides

Kubernetes Pentest: Checklist, tools and resources – Medium

lobuhisec.medium.com

Kubernetes is a maze: deployments, pods, containers, namespaces, services… When you arrive at kube-world as a beginner (like me) nothing has sense. For a while, I’ve been thinking about to create a…

Pentesting Kubernetes Services – HackTricks

book.hacktricks.xyz

When the kubelet read-only port is exposed, the attacker can retrieve information from the API. This exposes cluster configuration elements, such as pods names, location of internal files and other configurations.This is not critical information, but…

Kubernetes Pentest Methodology Part 1 – CyberArk

www.cyberark.com

Sodin Ransomware. Critical Synopsis: Sodin is a new ransomware that spreads and operates using known vulnerabilities. CyberAr…

Kubernetes Pentest Methodology Part 2 – CyberArk

www.cyberark.com

Attacking the Cluster Remotely. In our previous blog post “Kubernetes Pentest Methodology Part 1”, we wrote about the risks that might be created by misconfiguring the Kubernetes RBAC.Also, we demonstrated the attack vectors that could lead to privil…

Kubernetes Pentest Methodology Part 3

www.cyberark.com

A Technical Deep Dive Into Insider Kubernetes Attack Vectors In part one and part two of our series on Kubernetes penetration test methodology we covered the security risks that can be created by…

Kubernetes Security – OWASP Cheat Sheet Series

cheatsheetseries.owasp.org

Kubernetes Security Cheat Sheet¶ Kubernetes¶. Kubernetes is an open source container orchestration engine for automating deployment, scaling, and management of containerized applications.

Vinum-Security/kubernetes-security-checklist: Kubernetes Security Checklist and Requirements – All in One (authentication, authorization, logging, secrets, configuration, network, workloads, dockerfile) – GitHub

github.com

Kubernetes Security Checklist and Requirements – All in One (authentication, authorization, logging, secrets, configuration, network, workloads, dockerfile)

10 Kubernetes Security Context settings you should understand

snyk.io

Securely running workloads in Kubernetes can be difficult. Many different settings impact Kubernetes API security, requiring significant knowledge to implement correctly.One of the most powerful tools Kubernetes provides in this area are the security…

3 thoughts on “Kubernetes Security Review Cheat Sheet

  2. It’s hard to find knowledgeable people on this topic, but you sound like you know what you’re talking about! Thanks

    Reply

  3. I found your weblog website on google and check just a few of your early posts. Proceed to keep up the excellent operate. I simply additional up your RSS feed to my MSN News Reader. Searching for forward to reading more from you afterward!…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *