Kubernetes Kyverno bypass

Reading time: 3 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

The original author of this page is Guillaume

Abusing policies misconfiguration

Enumerate rules

Having an overview may help to know which rules are active, on which mode and who can bypass it

bash
$ kubectl get clusterpolicies
$ kubectl get policies

Enumerate Excluded

For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:

  • Groups: excludedGroups
  • Users: excludedUsers
  • Service Accounts (SA): excludedServiceAccounts
  • Roles: excludedRoles
  • Cluster Roles: excludedClusterRoles

These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.

Example

Let's dig into one clusterpolicy example :

$ kubectl get clusterpolicies MYPOLICY -o yaml

Look for the excluded entities :

yaml
exclude:
  any:
    - clusterRoles:
        - cluster-admin
    - subjects:
        - kind: User
          name: system:serviceaccount:DUMMYNAMESPACE:admin
        - kind: User
          name: system:serviceaccount:TEST:thisisatest
        - kind: User
          name: system:serviceaccount:AHAH:*

Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.

Abusing ValidatingWebhookConfiguration

Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :

Kubernetes ValidatingWebhookConfiguration

More info

For more info check https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks