Infiltr8ForumGitHub
Edit

Kubernetes

Introduction

Kubernetes (often abbreviated as K8s) is an open-source container orchestration platform originally developed by Google and now maintained by the Cloud Native Computing Foundation (CNCF). It automates the deployment, scaling, management, and operation of containerized applications across clusters of machines.

K8S clusters can be considered as critical in information systems nowadays because they represent:

  • Single Point of Failure: Kubernetes cluster failure can impact entire application portfolio

  • Attack Surface: Complex architecture creates multiple attack vectors

  • Privilege Escalation: Container escape can lead to cluster compromise

  • Data Exposure: Misconfigured secrets can expose sensitive information

  • Supply Chain: Vulnerable container images can compromise entire infrastructure

Scope

This guide focuses specifically on vulnerabilities and exploitation techniques specific to Kubernetes. We will not cover classic container escape methods such as:

  • Exploitation of misconfigured Linux capabilities

  • Use of exposed debug ports

  • Exploitation of dangerous bind mounts

  • Breakouts based on poorly isolated namespaces

Our focus is on the Kubernetes ecosystem: API Server, RBAC, Service Accounts, Secrets, and specific orchestration mechanisms.

Required Knowledge

  • Understanding of containers and their isolation

  • Good understanding of network concepts (DNS, load balancing, proxying)

  • Knowledge of Linux systems (processes, files, permissions)

  • Cryptography basics (TLS, certificates, JWT)

Essential Technical Terminology

Kubernetes Architecture

Cluster: Set of machines (nodes) that run containerized applications. A cluster includes at minimum a control plane and worker nodes.

Control Plane: Components that make global decisions about the cluster (scheduling, scaling, data storage). Includes:

  • API Server: Single entry point for all REST operations

  • etcd: Distributed key-value database storing cluster state

  • Controller Manager: Runs control processes

  • Scheduler: Assigns pods to nodes

Worker Nodes: Machines that run application workloads. Each node contains:

  • kubelet: Agent that communicates with the control plane

  • kube-proxy: Network proxy maintaining network rules

  • Container Runtime: Container execution engine (Docker, containerd, CRI-O)

Fundamental Kubernetes Objects

Pod: Smallest deployable unit in Kubernetes. Contains one or more containers sharing the same network and storage.

Namespace: Virtual partitioning mechanism of a cluster into isolated logical environments.

Service: Abstraction defining a logical set of pods and a network access policy.

Deployment: Declarative controller for managing ReplicaSets and pod updates.

ConfigMap: Object storing non-confidential configuration data in key-value format.

Secret: Object storing sensitive data (passwords, tokens, SSH keys) encoded in base64.

Security and Access Control

RBAC (Role-Based Access Control): Role-based access control system. Includes:

  • Role: Set of permissions within a namespace

  • ClusterRole: Set of permissions at cluster level

  • RoleBinding: Binds a Role to users/groups within a namespace

  • ClusterRoleBinding: Binds a ClusterRole to users/groups at cluster level

Service Account: Identity used by pods to interact with the Kubernetes API. Each namespace has a default service account.

Security Context: Security configuration for a pod or container (user, group, capabilities, SELinux, etc.).

Pod Security Standards: Security policies defining restriction levels:

  • Privileged: Non-restrictive policy

  • Baseline: Minimally restrictive policy

  • Restricted: Highly restrictive policy

Network Policies: Rules defining how pods can communicate with each other and other network endpoints.

Networking and Communication

CNI (Container Network Interface): Standardized interface for configuring container network connectivity.

Ingress: Object managing inbound external access to services in a cluster.

Egress: Outbound network traffic that flows from a pod within a Kubernetes cluster to an external endpoint.

Service Mesh: Dedicated infrastructure for managing service-to-service communication (Istio, Linkerd).

Storage and Persistence

Persistent Volume (PV): Storage resource in the cluster provisioned by an administrator.

Persistent Volume Claim (PVC): Storage request by a user, bound to a PV.

Storage Class: Defines available storage types and their provisioning parameters.

Essential Tools

  • kubectl: Official Kubernetes CLI

  • kubectx/kubens: Context and namespace management

  • kube-bench: Security audit based on CIS Benchmarks

  • kube-hunter: Kubernetes vulnerability scanner

  • kubectl-who-can: RBAC permissions analysis

Resources

Kubernetes Official Documentation

The Kubernetes Networking Guide

Kubernetes Security Cheat Sheet

HackTricks

Last updated

Was this helpful?