In summary, the kubelet.key file is an essential component of a Kubernetes cluster’s security infrastructure, allowing the kubelet to securely communicate with the API This ensures that all communication between the kubelet and the API server is encrypted and cannot be intercepted or tampered with by unauthorized parties. The kubelet.key file contains the private key corresponding to the kubelet’s certificate, which is used to establish a secure connection between the kubelet and the API server. The API server then signs the CSR with the cluster’s CA (Certificate Authority) to generate a certificate that the kubelet uses to authenticate itself with the API server. When the kubelet starts up, it generates a certificate signing request (CSR) and sends it to the API server. The kubelet is an essential component of a Kubernetes cluster that runs on each node and is responsible for managing and maintaining the containers running on that node. The kubelet.key file used by the Kubernetes kubelet component for secure communication with the Kubernetes API server. I accessed “kubelet.key” and “kublet.crt” on the node Unfortunately, after sending my vulnerability, the execution was fixed! Kubectl What can you use this issue? you can have free machines with high memory and storage, gmail and drive are limited to 15 gb of storage, with this you can have a storage of 60+ I sent the article to the google issue tracker - issue 192165360 Now I have executed the attack by spawning a process that immediately ends inside the “x” child cgroup.įigure 14: Able to execute regular “kubectl” commands on the node Now I have created the “/cmd” script such that it will execute the “ps aux” command and save its output into “/output” on the container by specifying the full path of the output file on the host. The files i add or modify in the container are present on the host, and it is possible to modify them from both worlds: the path in the container and their path on the host. I got the container’s path on the host from the “/etc/mtab” file. I also set the RDMA cgroup release agent to execute a “/cmd” script, which I will create later in the container by writing the /cmd script path on the host to the release_agent file. Next, I enabled cgroup notifications on release of the “x” cgroup by writing a 1 to its notify_on_release file. To do that, I created a “/tmp/cgrp” directory, mounted the RDMA cgroup controller and created a child cgroup To trigger this attack i needed a cgroup where we can create a release_agent file and trigger release_agent invocation by killing all processes in the cgroup, this way I mounted a cgroup controller and created a child cgroup. I exploited “cap_sys_admin” to get execution on the host. Hack 2- Gaining execution on the host and getting root on the node The “Environment.json” file, which provides details about the instance and authentication, is used to configure the environment.įigure 10: accessing the environment pods and container config. Once I looked at the hosts partition files, I identified files that contained information about authentication and environment, including “Environment.json.” The log files are named after the container’s ID and can be useful for troubleshooting issues with containers. Access to /var/log/containers: This directory contains the log files for the containers running on the node.Each subdirectory represents a pod, and within each pod directory, there are subdirectories for each container in the pod. Access to/var/lib/kubelet/pods: This directory contains the configuration and data for the containers running on the node.I had access to the instance information on google cloud, details about the instance and about the deployment of all the containers on the node.Access to different shell sessions on the same account - some of the sessions are being shared with others.I had access to critical files of Google’s shell mechanism- authorization, credentials and tokens, images and container registry.Access every container on the node- DNS, frontend & backend Containers.I had access to 60+ GB of storage per session. Figure 6: Utilizing the host device for gaining access to the host (Node) from the container
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |