HackTricks CloudKubernetes OPA Gatekeeper bypass
Reading time: 1 minute
The original author of this page is Guillaume
Abusing misconfiguration
Enumerate rules
Having an overview may help to know which rules are active, on which mode and who can bypass it.
With the CLI
$ kubectl api-resources | grep gatekeeper
k8smandatoryannotations constraints.gatekeeper.sh/v1beta1 false K8sMandatoryAnnotations
k8smandatorylabels constraints.gatekeeper.sh/v1beta1 false K8sMandatoryLabel
constrainttemplates templates.gatekeeper.sh/v1 false ConstraintTemplate
ConstraintTemplate and Constraint can be used in Open Policy Agent (OPA) Gatekeeper to enforce rules on Kubernetes resources.
$ kubectl get constrainttemplates
$ kubectl get k8smandatorylabels
With the GUI
A Graphic User Interface may also be available to access the OPA rules with Gatekeeper Policy Manager. It is "a simple read-only web UI for viewing OPA Gatekeeper policies' status in a Kubernetes Cluster."
Search for the exposed service :
$ kubectl get services -A | grep gatekeeper
$ kubectl get services -A | grep 'gatekeeper-policy-manager-system'
Excluded namespaces
As illustrated in the image above, certain rules may not be applied universally across all namespaces or users. Instead, they operate on a whitelist basis. For instance, the liveness-probe constraint is excluded from applying to the five specified namespaces.
Bypass
With a comprehensive overview of the Gatekeeper configuration, it's possible to identify potential misconfigurations that could be exploited to gain privileges. Look for whitelisted or excluded namespaces where the rule doesn't apply, and then carry out your attack there.
Abusing Roles/ClusterRoles in Kubernetes
Abusing ValidatingWebhookConfiguration
Another way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource :
Kubernetes ValidatingWebhookConfiguration