search

Unauthorized Access to Kubernetes API Server

hashtag
Vulnerability Description

When Kubernetes service is normally started, two ports will be opened: Localhost Port (default 8080), Secure Port (default 6443). Both of these ports provide API Server services, one can be directly accessed through the web, and the other can be called through the kubectl client. If the operation and maintenance personnel do not have reasonable configuration validation and permissions, then the attacker can obtain the rights to the container through these two interfaces.

hashtag
Environment Setup

ubuntu 18.04

Download

wget https://github.com/kubernetes/minikube/releases/download/v1.18.1/minikube-linux-amd64
mv minikube-linux-amd64 minikube
chmod 777 minikube

wget "https://storage.googleapis.com/kubernetes-release/release/v1.18.3/bin/linux/amd64/kubectl" -O "/usr/local/bin/kubectl"
chmod 755 /usr/local/bin/kubectl

Start K8S

sudo sysctl -w net/netfilter/nf_conntrack_max=131072
./minikube start --kubernetes-version=v1.18.3 --force --driver=docker  --extra-config=apiserver.anonymous-auth=true

Start dashboard

root@l-virtual-machine:/opt# ./minikube dashboard
* Enabling dashboard ...
  - Using image kubernetesui/dashboard:v2.1.0
  - Using image kubernetesui/metrics-scraper:v1.0.4
* Verifying dashboard health ...
* Launching proxy ...
* Verifying proxy health ...
http://127.0.0.1:35293/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/

Map K8S API out

image-20220810100111629

hashtag
Vulnerability Detection

Dashboard

image-20220810100236730

hashtag
Vulnerability Fix

  • Authorize and authenticate;

  • Use Service Account tokens;

  • Set firewall policies to limit IP access to the service.

PreviousSpringBoot Actuator Unauthorized Access VulnerabilityNextUnauthorized Access Vulnerability in Clickhouse

Last updated