List all containers
kubectl get pods --all-namespaces -o=custom-columns=NameSpace:.metadata.namespace,NAME:.metadata.name,CONTAINERS:.spec.containers[*].name
Resource: https://serverfault.com/questions/873490/how-to-list-all-containers-in-kubernetes
By namespace
kubectl get pods -n <namespace>
Check for insecure kubelet API access
From the host
curl -k https://localhost:10250/pods
Remotely
curl -k https://<target system running kub>:10250/pods
Resource: https://sysdig.com/blog/kubernetes-security-kubelet-etcd/
Kubernetes config file location
env |grep KUBECONFIG
Secure kubelet API access
Use the information from the kubernetes config file to get the location of the certificate-authority, the client-certificate, and the client-key. Alternatively, you can also run ps aux |grep kubelet and look at the command line parameters that are set.
Once you have this, you can run the following from the kubernetes host:
curl --cacert <path> --key <path> --cert <path> -k https://localhost:10250/pods | jq .
For example:
curl --cacert /etc/kubernetes/pki/ca.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt -k https://localhost:10250/pods | jq .
Resources:
https://sysdig.com/blog/kubernetes-security-kubelet-etcd/
https://medium.com/@netscylla/kubernetes-or-kuberpwn-586c687d5459
Get shell in container
kubectl exec -it <container name> bash
Secrets
Get a list of secrets
kubectl get secrets
View a secret
kubectl get secret <secret name> -o json | jq .
For example, to view the contents of a secret called db-user-pass:
kubectl get secret db-user-pass -o json | jq .
You can also opt to output in yaml as well:
kubectl get secret <secret name> -o yaml
Once you've done this, take the base64 encoded output and decode it to get the secret.
Resource: https://kubernetes.io/docs/concepts/configuration/secret/
Default network access policies
If network policies are defined, the Kubernetes default policy is allow. Subsequently, you can talk to networked assets from within a container. To test this, exec into a container:
kubectl exec -it <container name> sh
Once inside, you can try things like querying the AWS metadata service (or another networked resource):
wget -O - -q http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/
If this works, you can ascertain that an attacker that gains access to a running container gains unfettered network access.
Resolution
Specify network access configurations that minimize ingress and egress access for each pod.
Service Port forwarding
This will forward the service on 8443 of <service name> to localhost:1234
kubectl port-forward service/<service name> 1234:8443 -n <namespace>
Set cluster
kubectl config use-context <cluster>
Get list of everything a service account can do
kubectl auth can-i --list