HackTricks CloudKubernetes Kyverno bypass
Reading time: 1 minute
The original author of this page is Guillaume
Abusing policies misconfiguration
Enumerate rules
Having an overview may help to know which rules are active, on which mode and who can bypass it
$ kubectl get clusterpolicies
$ kubectl get policies
Enumerate Excluded
For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:
- Groups:
excludedGroups - Users:
excludedUsers - Service Accounts (SA):
excludedServiceAccounts - Roles:
excludedRoles - Cluster Roles:
excludedClusterRoles
These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.
Example
Let's dig into one clusterpolicy example :
$ kubectl get clusterpolicies MYPOLICY -o yaml
Look for the excluded entities :
exclude:
any:
- clusterRoles:
- cluster-admin
- subjects:
- kind: User
name: system:serviceaccount:DUMMYNAMESPACE:admin
- kind: User
name: system:serviceaccount:TEST:thisisatest
- kind: User
name: system:serviceaccount:AHAH:*
Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.
Abusing ValidatingWebhookConfiguration
Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource :