0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] 4 pages modified

Browse source
This commit is contained in:
CPol 2021-04-24 15:51:27 +00:00 committed by gitbook-bot
parent 322c9cb7f8
commit f8b6abb826
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 31 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -170,7 +170,8 @@
* [Print Job Retention](pentesting/pentesting-printers/print-job-retention.md)
* [Scanner and Fax](pentesting/pentesting-printers/scanner-and-fax.md)
* [Pentesting SAP](pentesting/pentesting-sap.md)
* [Pentesting Kubernetes](pentesting/pentesting-kubernetes.md)
* [Pentesting Kubernetes](pentesting/pentesting-kubernetes/README.md)
* [Kubernetes Intro](pentesting/pentesting-kubernetes/kubernetes-intro.md)
* [7/tcp/udp - Pentesting Echo](pentesting/7-tcp-udp-pentesting-echo.md)
* [21 - Pentesting FTP](pentesting/pentesting-ftp/README.md)
* [FTP Bounce attack - Scan](pentesting/pentesting-ftp/ftp-bounce-attack.md)

34
pentesting/pentesting-kubernetes.md → pentesting/pentesting-kubernetes/README.md
View file

@ -26,16 +26,32 @@ Security tips for Kubernetes
![](https://sickrov.github.io/media/Screenshot-68.jpg)
* **Node**: operating system with pod or pods.
* **Pod**: Wrapper around a container or multiple containers and it contains an app.
* **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application \(so usually, a pod run just 1 container\). The pod is the way kubernetes abstracts the container technology running.
* **Service**: Each pod has 1 service attached, which is 1 **IP address**. It's goal is to maintain the communication between pods even if one dies and a new copy is run. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service.
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods \(through API server\). The kubelet doesnt manage containers that were not created by Kubernetes.
* **Kube-proxy**: is the service in charge of the communications \(services\) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
* **Sidecar container**: Sidecar containers are the containers that should run along with the main container in the pod. This sidecar pattern extends and enhances the functionality of current containers without changing them. Nowadays, We know that we use container technology to wrap all the dependencies for the application to run anywhere. A container does only one thing and does that thing very well.
* **Kubectl**: Kubernetess CLI, allows you to manage and deploy containers. You can inspect the clusters resources. Communications with API server
* **Scheduler**: Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run them Watches for new Pods that have no Node assigned. This component assign pods with nodes.
* **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetess database and the key-value storage where it keeps the complete state of the clusters.
* **Kube Controller manager**: check several resources, for example, the replica sets or the deployments to check if, for example, we have the correct number of pods or nodes running. It controls replication, tokens, and account services to the API.
* **Master process:**
* **Api Server:** Is the way the users and the pods use to communicate with the master process. Only authenticated request should be allowed.
* **Scheduler**: Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run them. It has enough intelligence to decide which node has more available resources the assign the new pod to it. Note that the scheduler doesn't start new pods, it just communicate with the Kubelet process running inside the node, which will launch the new pod.
* **Kube Controller manager**: It checks resources like replica sets or deployments to check if, for example, the correct number of pods or nodes are running. In case a pod is missing, it will communicate with the scheduler to start a new one. It controls replication, tokens, and account services to the API.
* **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetess database and the key-value storage where it keeps the complete state of the clusters \(each change is logged here\). Components like the Scheduler or the Controller manager depends on this date to know which changes have occurred \(available resourced of the nodes, number of pods running...\)
* **Kubectl**: Kubernetess **CLI**, allows you to manage and deploy containers. You can inspect the clusters resources. Communications with API server
* **Cloud controller manager**: Is the specific controller for flow controls and applications, i.e: if you have clusters in AWS or OpenStack.
Note that as the might be several nodes \(running several pods\), there might also be several master processes which their access to the Api server load balanced and their etcd synchronized.
#### Volumes:
When a pod creates data that shouldn't be lost when the pod disappear it should be stored in a physical volume. **Kubernetes allow to attach a volume to a pod to persist the data**. The volume can be in the local machine or in a remote storage.
#### Other configurations:
* **ConfigMap**: You can configure **URLs** to access services. The pod will obtain data from here to learn how to communicate with the rest of the services \(pods\). Not that this is not the recommended place to save credentials!
* **Secret**: This is the place to **store secret data** like passwords, API keys... encoded in B64. The pod will be able to access this data to use the required credentials.
* **Deployments**: This is where the components to be run by kubernetes are declared. A user usually won't work directly with pods, but will declare the architecture of them here. Note that deployments are for **stateless** applications.
* **StatefulSet**: This component is meant specifically for applications like **databases** which needs to **access the same storage**.
### How pods communicate with each other.
![](https://sickrov.github.io/media/Screenshot-67.jpg)
@ -82,7 +98,9 @@ Secret types:
**How secrets works:**
![](https://sickrov.github.io/media/Screenshot-164.jpg) [https://kubernetes.io/docs/concepts/configuration/secret/\#using-secrets-as-files-from-a-pod](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod)
[https://kubernetes.io/docs/concepts/configuration/secret/\#using-secrets-as-files-from-a-pod](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod)
![](https://sickrov.github.io/media/Screenshot-164.jpg)
Create a secret, commands:
@ -348,7 +366,9 @@ Do not forget to delete de secrets and re-create them again in order to apply th
### Vulnerabilities - Container runtime sandboxes <a id="vulnerabilities---container-runtime-sandboxes"></a>
How an attack with lateral movement and privesc could be done: ![](https://sickrov.github.io/media/Screenshot-161.jpg)
How an attack with lateral movement and privesc could be done:
![](https://sickrov.github.io/media/Screenshot-161.jpg)
Getting inside the container:

2
pentesting/pentesting-kubernetes/kubernetes-intro.md Normal file
View file

@ -0,0 +1,2 @@
# Kubernetes Intro