Kubernetes Kyverno bypass
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
The original author of this page is Guillaume
Abusing policies misconfiguration
Enumerate rules
Having an overview may help to know which rules are active, on which mode and who can bypass it
$ kubectl get clusterpolicies
$ kubectl get policies
Enumerate Excluded
For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:
- Groups:
excludedGroups
- Users:
excludedUsers
- Service Accounts (SA):
excludedServiceAccounts
- Roles:
excludedRoles
- Cluster Roles:
excludedClusterRoles
These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.
Example
Let's dig into one clusterpolicy example :
$ kubectl get clusterpolicies MYPOLICY -o yaml
Look for the excluded entities :
exclude:
any:
- clusterRoles:
- cluster-admin
- subjects:
- kind: User
name: system:serviceaccount:DUMMYNAMESPACE:admin
- kind: User
name: system:serviceaccount:TEST:thisisatest
- kind: User
name: system:serviceaccount:AHAH:*
Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.
Abusing ValidatingWebhookConfiguration
Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :
Kubernetes ValidatingWebhookConfiguration
More info
For more info check https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.