Andy Repton
Mission Critical Engineer, Speaker at meetups and conferences, focusing on Cloud Native technologies
All your Kube are belong to us
Andy Repton, Mission Critical Engineer @ Schuberg Philis
@SethKarlo
arepton@schubergphilis.com
Agenda
- Kubernetes Admin Best Practises
- CVE-2018-1002105 anonymous auth via aggregated API Servers
- Manipulating the Kubelet for privilege escalation
- CVE-2018-1002105 privilege escalation
- Manipulating Cloud Providers metadata for privilege escalation
Kubernetes Best Practises for Cluster admins (not creators)
Wait. What's the difference?
Today, with managed Kubernetes becoming more common, your cluster creator could be a public cloud provider, a third party company or, indeed, perhaps you. As time goes on, I believe these roles will continue to diverge as Kubernetes becomes more commoditised.
Authentication, Authorization and Admission Control
AuthN
- AuthN and AuthZ are strictly separated in K8S. It's only who you are and the groups you're in.
- Types of Authentication include:
- Client Certificates
- Bearer Tokens
- Basic Auth
- OpenID Tokens
- Webhook Authenticators
- AuthN has a username, UID and Groups that are passed to AuthZ
AuthZ
- AuthZ defines what you're allowed to do in the cluster, either cluster wide or namespace restricted
- RBAC is the default authorization system today, replacing ABAC
- There are also third party webhooks you can use for AuthZ with Open Source projects allowing you more complex control over your resources
Admission Controllers
- Admission controllers intercept incoming requests and can make decisions on them
- Special Admission Controllers are the mutating and validating webhook controllers, which allows for controllers not compiled into the apiserver
Recommended Controllers to enable
| Controller | Purpose |
|---|---|
| NamespaceLifecycle | Can't delete default, kube-system, kube-public. Can't create in Terminating namespaces. |
| LimitRanger | Enforces LimitRanges inside the cluster. |
| ServiceAccount | Enables automation of ServiceAccounts. |
| DefaultStorageClass | Allows users to not have to specify a StorageClass for PvCs. |
| DefaultTolerationSeconds | Sets the default toleration to 5 mins if not set for pods. |
| MutatingAdmissionWebhook | Enables calling of a mutating webhook for new requests |
| ValidatingAdmissionWebhook | Enables calling of a validating webhook for new requests |
| Priority | Enforces the use of priority for new pods |
| ResourceQuota | Enforces ResourceQuotas inside the cluster. |
kube-apiserver --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Priority,ResourceQuota
Note: all of these are default, but v1.13 also adds PersistentVolumeClaimResize to the default
Pod Security Policies
- Allows for fine grained control over what pods can and cannot do
- For example, they can restrict things like:
- Which host paths can be mounted, if any
- If a pod is allowed to be privileged
- Which hostPorts are allowed to be used
- Which volume types are allowed to be used
- Plus more
Network Policies
- Allows for fine grained control over what pods are allowed to talk to
- Effectively an ACL and allows specification of source, destination, ingress, egress, port numbers and protocols
- Requires a network provider that supports them, which include (alphabetically)
- Calico
- Canal
- Kube-Router
- Romana
- Weave Net
Ok great! You've done everything possible as an admin to secure with best practises
Why, that's a lovely cluster you have there. Sure would be a shame if something were to... happen to it
CVE-2018-1002105
Pretty much every Kubernetes admin on Dec. 3rd
It comes in two flavours, using the same underlying exploit
- Anonymous Information leak via aggregated API Servers (metrics server or service catalog are prime targets here)
- Privilege escalation to the Kubelet API
It's a 9.8 out of 10 on the severity score for a CVE
Demo time!
How do I fix it?
Option 1: disable anonymous-auth on the kube-apiserver. The default is true:
Option 2: ACL your ApiServer
Option 3 (the best): Upgrade!
Privilege escalation via the Kubelet API
Communication from Kubelet to ApiServer is almost always Kubelet -> Apiserver
For example, creating a pod:
But if you need to exec to a pod, the apiserver needs to talk to the Kubelet. Usually via port 10250
We can abuse this port to gain access if Kubelet Authentication has not been set up
Demo time number 2!
How do I fix it?
Option 1: disable anonymous-auth on the kubelet. Once again, the default is true:
Option 2: Add authentication and authorization to your kubelets using either Certs or Tokens by following the steps here: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/
Privilege escalation to the Kubelet via the second version of CVE-2018-1002105
Similar to our first exploit, we are using the open upgraded connection to escalate privileges
Demo time!
Come on WiFi and Demo Gods, don't let me down now
How do I fix it?
Option 1: disallow your users to use exec, attach etc. privileges
Option 2: upgrade ASAP!
Privilege escalation via the cloud provider
IAM in public clouds is provided via the metadata server, so your pods appear to the metadata server as the nodes
Demo time!
Yes, I'm crazy enough to attempt 4 demos in 45 minutes
How do I fix it?
Ensure that your nodes are created with read only permissions to your cloud provider
Review your permissions! If someone accidentally downloaded a docker image with this kind of code inside it you could face a hefty bill
Questions?
Thank you!
Thanks and acknowledgments for great writing, examples and write ups which helped me make the demos:
- https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
- https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb
- https://github.com/evict/poc_CVE-2018-1002105
All your Kube are belong to us
By Andy Repton
All your Kube are belong to us
Exploits in Kubernetes and how to fix them
