Kubernetes Cheatsheet

List all containers

kubectl get pods --all-namespaces -o=custom-columns=NameSpace:.metadata.namespace,NAME:.metadata.name,CONTAINERS:.spec.containers[*].name

Resource: https://serverfault.com/questions/873490/how-to-list-all-containers-in-kubernetes

By namespace

kubectl get pods -n <namespace>

Check for insecure kubelet API access

From the host

curl -k https://localhost:10250/pods

Remotely

curl -k https://<target system running kub>:10250/pods

Resource: https://sysdig.com/blog/kubernetes-security-kubelet-etcd/

Kubernetes config file location

env |grep KUBECONFIG

Secure kubelet API access

Use the information from the kubernetes config file to get the location of the certificate-authority, the client-certificate, and the client-key. Alternatively, you can also run ps aux |grep kubelet and look at the command line parameters that are set.

Once you have this, you can run the following from the kubernetes host:

curl --cacert <path> --key <path> --cert <path> -k https://localhost:10250/pods | jq .

For example:

curl --cacert /etc/kubernetes/pki/ca.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt -k https://localhost:10250/pods | jq .

Resources:
https://sysdig.com/blog/kubernetes-security-kubelet-etcd/
https://medium.com/@netscylla/kubernetes-or-kuberpwn-586c687d5459

Get shell in container

kubectl exec -it <container name> bash

Secrets

Get a list of secrets

kubectl get secrets

View a secret

kubectl get secret <secret name> -o json | jq .

For example, to view the contents of a secret called db-user-pass:

kubectl get secret db-user-pass -o json | jq .

You can also opt to output in yaml as well:

kubectl get secret <secret name> -o yaml

Once you've done this, take the base64 encoded output and decode it to get the secret.

Resource: https://kubernetes.io/docs/concepts/configuration/secret/

Default network access policies

If network policies are defined, the Kubernetes default policy is allow. Subsequently, you can talk to networked assets from within a container. To test this, exec into a container:

kubectl exec -it <container name> sh

Once inside, you can try things like querying the AWS metadata service (or another networked resource):

wget -O - -q http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/

If this works, you can ascertain that an attacker that gains access to a running container gains unfettered network access.

Resolution

Specify network access configurations that minimize ingress and egress access for each pod.

Resources:
https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d

Service Port forwarding

This will forward the service on 8443 of <service name> to localhost:1234

kubectl port-forward service/<service name> 1234:8443 -n <namespace>