Exposing Services in Kubernetes

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Kuna njia tofauti za kufichua huduma katika Kubernetes ili nukta za ndani na nukta za nje ziweze kuzifikia. Mipangilio hii ya Kubernetes ni muhimu sana kwani msimamizi anaweza kutoa ufikiaji kwa washambuliaji kwa huduma ambazo hawapaswi kuwa na uwezo wa kuzifikia.

Automatic Enumeration

Kabla ya kuanza kuorodhesha njia ambazo K8s inatoa za kufichua huduma kwa umma, fahamu kwamba ikiwa unaweza kuorodhesha majina ya maeneo, huduma na ingresses, unaweza kupata kila kitu kilichofichuliwa kwa umma kwa:

kubectl get namespace -o custom-columns='NAME:.metadata.name' | grep -v NAME | while IFS='' read -r ns; do
echo "Namespace: $ns"
kubectl get service -n "$ns"
kubectl get ingress -n "$ns"
echo "=============================================="
echo ""
echo ""
done | grep -v "ClusterIP"
# Remove the last '| grep -v "ClusterIP"' to see also type ClusterIP

ClusterIP

A ClusterIP service is the default Kubernetes service. It gives you a service inside your cluster that other apps inside your cluster can access. There is no external access.

Hata hivyo, hii inaweza kufikiwa kwa kutumia Kubernetes Proxy:

kubectl proxy --port=8080

Sasa, unaweza kuzunguka kupitia API ya Kubernetes ili kufikia huduma kwa kutumia mpango huu:

http://localhost:8080/api/v1/proxy/namespaces/<NAMESPACE>/services/<SERVICE-NAME>:<PORT-NAME>/

Kwa mfano unaweza kutumia URL ifuatayo:

http://localhost:8080/api/v1/proxy/namespaces/default/services/my-internal-service:http/

kufikia huduma hii:

apiVersion: v1
kind: Service
metadata:
name: my-internal-service
spec:
selector:
app: my-app
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

Hii mbinu inahitaji uendeshe kubectl kama mtumiaji aliyeidhinishwa.

Orodhesha ClusterIPs zote:

kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep ClusterIP

NodePort

Wakati NodePort inatumika, bandari maalum inapatikana kwenye Nodes zote (zinazoakilisha Mashine za Kijamii). Mwelekeo unaoelekezwa kwenye bandari hii maalum kisha unachukuliwa kwa mfumo wa kupelekwa kwa huduma. Kawaida, njia hii haitashauriwa kutokana na hasara zake.

Orodhesha NodePorts zote:

kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep NodePort

Mfano wa spesifikasiyo ya NodePort:

apiVersion: v1
kind: Service
metadata:
name: my-nodeport-service
spec:
selector:
app: my-app
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30036
protocol: TCP

Ikiwa hujabainisha nodePort katika yaml (ni bandari ambayo itafunguliwa) bandari katika kikundi 30000–32767 itatumika.

LoadBalancer

Inafichua Huduma nje kwa kutumia balancer ya mzigo wa mtoa huduma wa wingu. Kwenye GKE, hii itazindua Network Load Balancer ambayo itakupa anwani moja ya IP ambayo itapeleka trafiki yote kwa huduma yako. Katika AWS itazindua Load Balancer.

Lazima ulipie LoadBalancer kwa kila huduma iliyofichuliwa, ambayo inaweza kuwa ghali.

Orodhesha LoadBalancers zote:

kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,EXTERNAL-IP:.status.loadBalancer.ingress[*],PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep LoadBalancer

External IPs

IP za nje zinakabiliwa na huduma za aina ya Load Balancers na kwa ujumla hutumiwa wakati Load Balancer wa Mtoa Huduma wa Nje anatumika.

Ili kuzipata, angalia kwa load balancers zenye thamani katika uwanja wa EXTERNAL-IP.

Mwanzo wa trafiki unaingia kwenye klasta kwa IP ya nje (kama IP ya marudio), kwenye bandari ya Huduma, itakuwa imeelekezwa kwa moja ya maeneo ya Huduma. externalIPs hazisimamiwi na Kubernetes na ni jukumu la msimamizi wa klasta.

Katika spesifikasiyo ya Huduma, externalIPs zinaweza kuainishwa pamoja na aina yoyote ya ServiceTypes. Katika mfano hapa chini, "my-service" inaweza kufikiwa na wateja kwenye "80.11.12.10:80" (externalIP:port)

apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.12.10

ExternalName

Kutoka kwenye hati: Huduma za aina ya ExternalName zinachora Huduma kwa jina la DNS, si kwa mteule wa kawaida kama my-service au cassandra. Unabainisha hizi Huduma kwa kutumia parameter ya spec.externalName.

Mwelekeo huu wa Huduma, kwa mfano, unachora Huduma ya my-service katika nafasi ya prod kwa my.database.example.com:

apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: prod
spec:
type: ExternalName
externalName: my.database.example.com

Wakati wa kutafuta mwenyeji my-service.prod.svc.cluster.local, Huduma ya DNS ya klasta inarudisha rekodi ya CNAME yenye thamani my.database.example.com. Kufikia my-service kunafanya kazi kwa njia ile ile kama Huduma nyingine lakini kwa tofauti muhimu kwamba mwelekeo unafanyika katika kiwango cha DNS badala ya kupitia upitishaji au kupeleka.

Orodhesha majina yote ya Nje:

kubectl get services --all-namespaces | grep ExternalName

Ingress

Kinyume na mifano yote hapo juu, Ingress SIO aina ya huduma. Badala yake, inakaa mbele ya huduma nyingi na inafanya kazi kama "router mwenye akili" au kiingilio katika klasta yako.

Unaweza kufanya mambo mengi tofauti na Ingress, na kuna aina nyingi za Ingress controllers ambazo zina uwezo tofauti.

Msimamizi wa ingrees wa GKE wa kawaida utaanzisha HTTP(S) Load Balancer kwa ajili yako. Hii itakuruhusu kufanya upitishaji wa msingi wa njia na wa subdomain kwa huduma za nyuma. Kwa mfano, unaweza kutuma kila kitu kwenye foo.yourdomain.com kwa huduma ya foo, na kila kitu chini ya njia ya yourdomain.com/bar/ kwa huduma ya bar.

YAML ya kitu cha Ingress kwenye GKE na L7 HTTP Load Balancer inaweza kuonekana kama hii:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
spec:
backend:
serviceName: other
servicePort: 8080
rules:
- host: foo.mydomain.com
http:
paths:
- backend:
serviceName: foo
servicePort: 8080
- host: mydomain.com
http:
paths:
- path: /bar/*
backend:
serviceName: bar
servicePort: 8080

Orodha ya ingresses zote:

kubectl get ingresses --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,RULES:spec.rules[*],STATUS:status'

Ingawa katika kesi hii ni bora kupata taarifa ya kila mmoja mmoja ili kuisoma vizuri:

kubectl get ingresses --all-namespaces -o=yaml

References

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousKubelet Authentication & Authorization NextAttacking Kubernetes from inside a Pod

Last updated 3 days ago

kubectl get namespace -o custom-columns='NAME:.metadata.name' | grep -v NAME | while IFS='' read -r ns; do echo "Namespace: $ns" kubectl get service -n "$ns" kubectl get ingress -n "$ns" echo "==============================================" echo "" echo "" done | grep -v "ClusterIP" # Remove the last '| grep -v "ClusterIP"' to see also type ClusterIP

kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep ClusterIP

kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep NodePort

kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,EXTERNAL-IP:.status.loadBalancer.ingress[*],PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep LoadBalancer

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: my-ingress spec: backend: serviceName: other servicePort: 8080 rules: - host: foo.mydomain.com http: paths: - backend: serviceName: foo servicePort: 8080 - host: mydomain.com http: paths: - path: /bar/* backend: serviceName: bar servicePort: 8080