Kubelet Authentication & Authorization

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Kubelet Authentication

Kutoka kwenye docss:

Kwa default, maombi kwa mwisho wa HTTPS wa kubelet ambayo hayakukataliwa na njia nyingine za uthibitishaji zilizowekwa yanachukuliwa kama maombi yasiyo na jina, na yanapewa jina la mtumiaji system:anonymous na kikundi system:unauthenticated.

Njia 3 za uthibitishaji ni:

Anonymous (default): Tumia kuweka param --anonymous-auth=true au usanidi:

"authentication": {
"anonymous": {
"enabled": true
},

Webhook: Hii itawa wezesha kubectl API bearer tokens kama idhini (token yoyote halali itakuwa halali). Ruhusu kwa:
hakikisha kundi la API authentication.k8s.io/v1beta1 limewezeshwa katika seva ya API
anzisha kubelet na bendera za --authentication-token-webhook na --kubeconfig au tumia mipangilio ifuatayo:

"authentication": {
"webhook": {
"cacheTTL": "2m0s",
"enabled": true
},

Kubelet inaita TokenReview API kwenye seva ya API iliyowekwa ili kubaini taarifa za mtumiaji kutoka kwa alama za kubeba

Vyeti vya mteja vya X509: Ruhusu kuthibitisha kupitia vyeti vya mteja vya X509
angalia nyaraka za uthibitishaji wa apiserver kwa maelezo zaidi
anza kubelet na bendera ya --client-ca-file, ukitoa pakiti ya CA ili kuthibitisha vyeti vya wateja. Au kwa usanidi:

"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/pki/ca.crt"
}
}

Kubelet Authorization

Maombi yoyote ambayo yamefanikiwa kuthibitishwa (ikiwemo maombi ya kutotambulika) yanaruhusiwa kisha. Njia ya kuthibitisha ya AlwaysAllow ni ya kawaida, ambayo inaruhusu maombi yote.

Hata hivyo, thamani nyingine inayowezekana ni webhook (ambayo ndiyo utakayokuwa ukipata zaidi huko nje). Njia hii itafanya ukaguzi wa ruhusa za mtumiaji aliyeidhinishwa ili kuruhusu au kukataa kitendo.

Kumbuka kwamba hata kama uthibitishaji wa kutotambulika umewezeshwa upatikanaji wa kutotambulika huenda usiwe na ruhusa yoyote ya kufanya kitendo chochote.

Kuthibitisha kupitia webhook kunaweza kuwekewa mipangilio kwa kutumia param --authorization-mode=Webhook au kupitia faili ya usanidi na:

"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},

The kubelet calls the SubjectAccessReview API on the configured API server to kubaini whether each request is imeidhinishwa.

The kubelet authorizes API requests using the same request attributes approach as the apiserver:

Action

HTTP verb

request verb

POST

create

GET, HEAD

get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources)

PUT

update

PATCH

patch

DELETE

delete (for individual resources), deletecollection (for collections)

The resource talking to the Kubelet api is daima nodes and subresource is kubainishwa from the incoming request's path:

Kubelet API

resource

subresource

/stats/*

nodes

stats

/metrics/*

nodes

metrics

/logs/*

nodes

log

/spec/*

nodes

spec

all others

nodes

proxy

For example, the following request tried to access the pods info of kubelet without permission:

curl -k --header "Authorization: Bearer ${TOKEN}" 'https://172.31.28.172:10250/pods'
Forbidden (user=system:node:ip-172-31-28-172.ec2.internal, verb=get, resource=nodes, subresource=proxy)

Tulipata Forbidden, hivyo ombi lilipita ukaguzi wa Uthibitishaji. La sivyo, tungekuwa tumepata ujumbe wa Unauthorised.
Tunaweza kuona jina la mtumiaji (katika kesi hii kutoka kwa token)
Angalia jinsi rasilimali ilikuwa nodes na subresource proxy (ambayo ina maana na taarifa za awali)

Marejeo

https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousPentesting Kubernetes Services NextExposing Services in Kubernetes

Last updated 3 days ago