# Unauthorized Access to Kubernetes API Server ## Vulnerability Description When Kubernetes service is normally started, two ports will be opened: Localhost Port (default 8080), Secure Port (default 6443). Both of these ports provide API Server services, one can be directly accessed through the web, and the other can be called through the kubectl client. If the operation and maintenance personnel do not have reasonable configuration validation and permissions, then the attacker can obtain the rights to the container through these two interfaces. ## Environment Setup > ubuntu 18.04 Download ``` wget https://github.com/kubernetes/minikube/releases/download/v1.18.1/minikube-linux-amd64 mv minikube-linux-amd64 minikube chmod 777 minikube wget "https://storage.googleapis.com/kubernetes-release/release/v1.18.3/bin/linux/amd64/kubectl" -O "/usr/local/bin/kubectl" chmod 755 /usr/local/bin/kubectl ``` Start K8S ``` sudo sysctl -w net/netfilter/nf_conntrack_max=131072 ./minikube start --kubernetes-version=v1.18.3 --force --driver=docker --extra-config=apiserver.anonymous-auth=true ``` Start dashboard ``` root@l-virtual-machine:/opt# ./minikube dashboard * Enabling dashboard ... - Using image kubernetesui/dashboard:v2.1.0 - Using image kubernetesui/metrics-scraper:v1.0.4 * Verifying dashboard health ... * Launching proxy ... * Verifying proxy health ... http://127.0.0.1:35293/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/ ``` Map K8S API out ``` root@l-virtual-machine:/opt# kubectl proxy --port=8088 --address='0.0.0.0' --accept-hosts='^.*' Starting to serve on [::]:8088 ``` ![image-20220810100111629](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-c3c076624116315b6249ee40095f3cdd70281aa8%2Fimage-20220810100111629.png?alt=media) ## Vulnerability Detection Dashboard ``` http://192.168.32.141:8088/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/#/overview?namespace=default ``` ![image-20220810100236730](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-69f9eeb770d22744586245e312e9d298d511d6b2%2Fimage-20220810100236730.png?alt=media) ## Vulnerability Fix * Authorize and authenticate; * Use Service Account tokens; * Set firewall policies to limit IP access to the service. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://icybersec.gitbook.io/cybersecuritynote-en/security-vulnerability/unauthorized-vulnerability/unauthorized-access-to-kubernetes-api-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.