Kubernetes Kyverno bypass
The original author of this page is Guillaume
Abusing policies misconfiguration
Enumerate rules
Having an overview may help to know which rules are active, on which mode and who can bypass it
Enumerate Excluded
For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:
Groups:
excludedGroups
Users:
excludedUsers
Service Accounts (SA):
excludedServiceAccounts
Roles:
excludedRoles
Cluster Roles:
excludedClusterRoles
These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.
Example
Let's dig into one clusterpolicy example :
Look for the excluded entities :
Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.
Abusing ValidatingWebhookConfiguration
Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :
Last updated