Kubernetes Kyverno bypass

The original author of this page is Guillaume

Abusing policies misconfiguration

Enumerate rules

Having an overview may help to know which rules are active, on which mode and who can bypass it

$ kubectl get clusterpolicies
$ kubectl get policies

Enumerate Excluded

For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:

  • Groups: excludedGroups

  • Users: excludedUsers

  • Service Accounts (SA): excludedServiceAccounts

  • Roles: excludedRoles

  • Cluster Roles: excludedClusterRoles

These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.

Example

Let's dig into one clusterpolicy example :

$ kubectl get clusterpolicies MYPOLICY -o yaml

Look for the excluded entities :

exclude:
      any:
      - clusterRoles:
        - cluster-admin
      - subjects:
        - kind: User
          name: system:serviceaccount:DUMMYNAMESPACE:admin
        - kind: User
          name: system:serviceaccount:TEST:thisisatest
        - kind: User
          name: system:serviceaccount:AHAH:*
          

Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.

Abusing ValidatingWebhookConfiguration

Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :

Kubernetes ValidatingWebhookConfiguration

Last updated