Kubectl
List all applications and services
kubectl get all
List all pods
kubectl get pods
Delete a pod
kubectl delete pod <pod name>
Resource: https://www.fairwinds.com/blog/how-to-create-view-and-destroy-a-pod-in-kubernetes
List all nodes
kubectl get nodes
Get more information about a node
kubectl describe nodes <node name>
List all containers
kubectl get pods --all-namespaces -o=custom-columns=NameSpace:.metadata.namespace,NAME:.metadata.name,CONTAINERS:.spec.containers[*].name
Resource: https://serverfault.com/questions/873490/how-to-list-all-containers-in-kubernetes
By namespace
kubectl get pods -n <namespace>
Get information about all deployments
kubectl describe deployments
Get information about a deployment
kubectl describe deployment nginx-deployment
Get shell in container
kubectl exec -it <container name> bash
Secrets
Get a list of secrets
kubectl get secrets
View a secret
kubectl get secret <secret name> -o json | jq .
For example, to view the contents of a secret called db-user-pass:
kubectl get secret db-user-pass -o json | jq .
You can also opt to output in yaml as well:
kubectl get secret <secret name> -o yaml
Once you've done this, take the base64 encoded output and decode it to get the secret.
Resource: https://kubernetes.io/docs/concepts/configuration/secret/
List all services
kubectl get services
Get names of services
kubectl get services --sort-by=.metadata.name
Resource: https://kubernetes.io/docs/reference/kubectl/cheatsheet/
Get Pod IP Address
kubectl get pods -l app=<app name> -o yaml |grep podIP
Get more information about a pod
kubectl describe pod <pod name>
Resource: https://stackoverflow.com/questions/34848422/how-to-debug-imagepullbackoff
Delete an application
Find the deployment and service beforehand:
kubectl delete deployment.apps/<name> service/<name>
For example, for a service and deployment called 'app':
kubectl delete deployment.apps/app service/app
Alternatively, you could just run this in the directory with all of the files:
kubectl delete -k ./
Resource: https://kubernetes.io/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/
Get external IP addresses of all nodes
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'
Resource: https://kubernetes.io/docs/reference/kubectl/cheatsheet/
Get all container images
kubectl get pods --all-namespaces -o=jsonpath="{..image}
Get all container images filtered by pod label
kubectl get pods --all-namespaces -o=jsonpath="{..image}" -l app=<name>
For example, for a label with the app name 'nginx' created with this tutorial:
kubectl get pods --all-namespaces -o=jsonpath="{..image}" -l app=nginx
Troubleshooting
This will sort the output for you as well based on when something was created:
kubectl get events --all-namespaces --sort-by='.metadata.creationTimestamp'
Alternatively, you can just run:
kubectl get events
Resources:
https://serverfault.com/questions/728727/kubernetes-stuck-on-containercreating
https://stackoverflow.com/questions/36377784/pod-in-kubernetes-always-in-pending-state
Check for insecure kubelet API access
From the host
curl -k https://localhost:10250/pods
Remotely
curl -k https://<target system running kub>:10250/pods
Resource: https://sysdig.com/blog/kubernetes-security-kubelet-etcd/
Kubernetes config file location
env |grep KUBECONFIG
Secure kubelet API access
Use the information from the kubernetes config file to get the location of the certificate-authority, the client-certificate, and the client-key. Alternatively, you can also run ps aux |grep kubelet and look at the command line parameters that are set.
Once you have this, you can run the following from the kubernetes host:
curl --cacert <path> --key <path> --cert <path> -k https://localhost:10250/pods | jq .
For example:
curl --cacert /etc/kubernetes/pki/ca.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt -k https://localhost:10250/pods | jq .
Resources:
https://sysdig.com/blog/kubernetes-security-kubelet-etcd/
https://medium.com/@netscylla/kubernetes-or-kuberpwn-586c687d5459
Default network access policies
If network policies are defined, the Kubernetes default policy is allow. Subsequently, you can talk to networked assets from within a container. To test this, exec into a container:
kubectl exec -it <container name> sh
Once inside, you can try things like querying the AWS metadata service (or another networked resource):
wget -O - -q http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/
If this works, you can ascertain that an attacker that gains access to a running container gains unfettered network access.
Resolution
Specify network access configurations that minimize ingress and egress access for each pod.
Service Port forwarding
This will forward the service on 8443 of <service name> to localhost:1234
kubectl port-forward service/<service name> 1234:8443 -n <namespace>
Set cluster
kubectl config use-context <cluster>
Get list of everything a service account can do
kubectl auth can-i --list
Use local image
Add this line to your pod yaml file:
imagePullPolicy: Never
Resource: https://stackoverflow.com/questions/55392014/kubectl-get-pods-shows-errimagepull
Run docker in docker
This is a very bad thing to do from a security standpoint, but when you need it, this is how you do it:
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: dev
imagePullPolicy: Never
name: dev
volumeMounts:
- name: docker-sock-volume
mountPath: "/var/run/docker.sock"
volumes:
- name: docker-sock-volume
hostPath:
# location on host
path: /var/run/docker.sock
Resources:
https://stackoverflow.com/questions/56462126/how-to-add-v-var-run-docker-sock-var-run-docker-sock-when-running-container
https://devops.stackexchange.com/questions/2506/docker-in-kubernetes-deployment