Uimarishaji wa Kubernetes

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Zana za kuchambua cluster

Steampipe - Kubernetes Compliance

Inafanya ukaguzi kadhaa wa uzingatiaji kwenye cluster ya Kubernetes. Inajumuisha msaada kwa CIS, National Security Agency (NSA) na Cybersecurity and Infrastructure Security Agency (CISA) — ripoti za kiufundi za usalama wa mtandao kwa uimarishaji wa Kubernetes.

# Install Steampipe
brew install turbot/tap/powerpipe
brew install turbot/tap/steampipe
steampipe plugin install kubernetes

# Start the service
steampipe service start

# Install the module
mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance

# Run the module
powerpipe server

Kubescape

Kubescape ni zana ya chanzo wazi ya K8s inayotoa dirisha moja la usimamizi kwa mazingira ya multi-cloud, ikijumuisha uchambuzi wa hatari, uzingatiaji wa usalama, visualizer ya RBAC na uchunguzi wa udhaifu wa image. Kubescape huchunguza clusters za K8s, faili za YAML, na charts za HELM, ikigundua mipangilio isiyofaa kulingana na mifumo mbalimbali (such as the NSA-CISA , MITRE ATT&CK®), udhaifu wa software, na ukiukaji wa RBAC (role-based-access-control) katika hatua za mwanzo za CI/CD pipeline, hukokotoa alama ya hatari mara moja na inaonyesha mwelekeo wa hatari kwa muda.

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
kubescape scan --verbose

Popeye

Popeye ni zana inayosaka Kubernetes cluster hai na inaripoti matatizo yanayoweza kutokea kwenye resources na configurations zilizowekwa. Inasafisha cluster yako kulingana na kile kilichowekwa na si kile kilichokaa kwenye diski. Kwa kusaka cluster yako, hutambua makosa ya usanidi na inakusaidia kuhakikisha kwamba mbinu bora za matumizi zipo, hivyo kuzuia matatizo ya baadaye. Inalenga kupunguza mzigo wa kifikra _over_load unaokutana nayo wakati wa kuendesha Kubernetes cluster katika mazingira halisi. Zaidi ya hayo, ikiwa cluster yako inatumia metric-server, inaripoti uwezekano wa over/under allocations za rasilimali na inajaribu kukujulisha ikiwa cluster yako itakosa uwezo.

Kube-bench

The tool kube-bench ni chombo kinachothibitisha kama Kubernetes imewekwa kwa usalama kwa kuendesha ukaguzi uliyoelezwa katika CIS Kubernetes Benchmark.
Unaweza kuchagua:

endesha kube-bench kutoka ndani ya container (ukishirikisha PID namespace na host)
endesha container inayosakinisha kube-bench kwenye host, kisha endesha kube-bench moja kwa moja kwenye host
sakinisha binaries za hivi karibuni kutoka kwenye Releases page,
compile kutoka source.

Kubeaudit

[DEPRECATED] The tool kubeaudit ni zana ya mstari wa amri na Go package ya kukagua Kubernetes clusters kwa masuala mbalimbali ya usalama.

Kubeaudit inaweza kugundua ikiwa inaendeshwa ndani ya container katika cluster. Ikiwa ndivyo, itajaribu kukagua rasilimali zote za Kubernetes katika cluster hiyo:

kubeaudit all

Chombo hiki pia kina argumenti autofix ili kurekebisha moja kwa moja matatizo yaliyogunduliwa.

Kube-hunter

[IMEPITWA NA WAKATI] Chombo kube-hunter hutafuta udhaifu wa usalama katika Kubernetes clusters. Chombo kilitengenezwa ili kuongeza uelewa na uwonekano wa masuala ya usalama katika mazingira ya Kubernetes.

kube-hunter --remote some.node.com

Trivy

Trivy ina vichunguzi vinavyotafuta matatizo ya usalama, na malengo ambapo vinaweza kupata matatizo hayo:

Image ya Container
Mfumo wa faili
Git Repository (remote)
Image ya Virtual Machine
Kubernetes

Kubei

[Inaonekana haijaendelezwa]

Kubei ni zana ya kuchanganua udhaifu na CIS Docker benchmark ambayo inawawezesha watumiaji kupata tathmini sahihi na ya papo hapo ya hatari ya clusters zao za Kubernetes. Kubei inachunguza picha zote zinazotumika katika Kubernetes cluster, ikiwa ni pamoja na picha za application pods na system pods.

KubiScan

KubiScan ni zana ya kuchanganua Kubernetes cluster kutafuta ruhusa zenye hatari katika modeli ya utoaji idhini ya Role-based access control (RBAC) ya Kubernetes.

Managed Kubernetes Auditing Toolkit

Mkat ni zana iliyojengwa kujaribu aina nyingine za ukaguzi zenye hatari kubwa ikilinganishwa na zana zingine. Kimsingi ina modi 3 tofauti:

find-role-relationships: Itakayopata ni AWS roles zipi zinaendeshwa katika pods gani
find-secrets: Inajaribu kutambua secrets katika rasilimali za K8s kama Pods, ConfigMaps, na Secrets.
test-imds-access: Itajaribu kuendesha pods na kujaribu kufikia metadata v1 na v2. ONYO: Hii itaendesha pod katika cluster, kuwa mwangalifu sana kwa sababu huenda hauitaka kufanya hivyo!

Audit IaC Code

KICS

KICS hutambua udhaifu wa usalama, masuala ya ufuataji, na mipangilio isiyo sahihi ya miundombinu katika suluhisho za Infrastructure as Code zifuatazo: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, na OpenAPI 3.0 specifications

Checkov

Checkov ni chombo cha uchambuzi wa msimbo statiki kwa infrastructure-as-code.

Inachunguza miundombinu ya cloud iliyotolewa kwa kutumia Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Dockerfile, Serverless au ARM Templates na hugundua mipangilio mibaya ya usalama na ufuataji kwa kutumia uchunguzi unaotegemea grafu.

Kube-score

kube-score ni zana inayofanya uchambuzi wa msimbo statiki wa ufafanuzi wa vitu vya Kubernetes yako.

To install:

Usambazaji	Amri / Kiungo
Pre-built binaries for macOS, Linux, and Windows	GitHub releases
Docker	`docker pull zegl/kube-score` (Docker Hub)
Homebrew (macOS and Linux)	`brew install kube-score`
Krew (macOS and Linux)	`kubectl krew install score`

Tools to analyze YAML files & Helm Charts

Kube-linter

# Install Kube-linter
brew install kube-linter

# Run Kube-linter
## lint ./path/to/yaml/or/chart

Checkov

# Install Checkov
pip install checkov

# Run Checkov
checkov -d ./path/to/yaml/or/chart

kube‑score

# Install kube-score
brew install kube-score

# Run kube-score
kube-score score ./path/to/yaml
# or
helm template chart /path/to/chart | kube-score score -
# or if the chart needs some values
helm template chart /path/to/chart \
--set 'config.urls[0]=https://dummy.backend.internal' \
| kube-score score -

Kubesec

# Install Kubesec
## Download from https://github.com/controlplaneio/kubesec/releases

# Run Kubesec in a yaml
kubesec scan ./path/to/yaml
# or
helm template chart /path/to/chart | kubesec scan -
# or if the chart needs some values
helm template chart /path/to/chart \
--set 'config.urls[0]=https://dummy.backend.internal' \
| kubesec scan -

Skana matatizo ya utegemezi

Skana picha

#!/bin/bash
export images=$(kubectl get pods --all-namespaces -o jsonpath="{range .items[]}{.spec.containers[].image}{'\n'}{end}" | sort | uniq)
echo "All images found: $images"
echo ""
echo ""
for image in $images; do
# Run trivy scan and save JSON output
trivy image --format json --output /tmp/result.json --severity HIGH,CRITICAL "$image" >/dev/null 2>&1
# Extract binary targets that have vulnerabilities
binaries=$(jq -r '.Results[] | select(.Vulnerabilities != null) | .Target' /tmp/result.json)
if [ -n "$binaries" ]; then
echo "- **Image:** $image"
while IFS= read -r binary; do
echo "  - **Binary:** $binary"
jq -r --arg target "$binary" '
.Results[] | select(.Target == $target) | .Vulnerabilities[] |
"    - **\(.Title)** (\(.Severity)): Affecting `\(.PkgName)` fixed in version `\(.FixedVersion)` (current version is `\(.InstalledVersion)`)."
' /tmp/result.json
done <<< "$binaries"
echo ""
echo ""
echo ""
fi
done

Chunguza Helm charts

#!/bin/bash
# scan-helm-charts.sh
# This script lists all Helm releases, renders their manifests,
# and then scans each manifest with Trivy for configuration issues.

# Check that jq is installed
if ! command -v jq &>/dev/null; then
echo "jq is required but not installed. Please install jq and rerun."
exit 1
fi

# List all helm releases and extract namespace and release name
echo "Listing Helm releases..."
helm list --all-namespaces -o json | jq -r '.[] | "\(.namespace) \(.name)"' > helm_releases.txt

# Check if any releases were found
if [ ! -s helm_releases.txt ]; then
echo "No Helm releases found."
exit 0
fi

# Loop through each Helm release and scan its rendered manifest
while IFS=" " read -r namespace release; do
echo "---------------------------------------------"
echo "Scanning Helm release '$release' in namespace '$namespace'..."
# Render the Helm chart manifest
manifest_file="${release}-manifest.yaml"
helm get manifest "$release" -n "$namespace" > "$manifest_file"
if [ $? -ne 0 ]; then
echo "Failed to get manifest for $release in $namespace. Skipping."
continue
fi
# Scan the manifest with Trivy (configuration scan)
echo "Running Trivy config scan on $manifest_file..."
trivy config --severity MEDIUM,HIGH,CRITICAL "$manifest_file"
echo "Completed scan for $release."
done < helm_releases.txt

echo "---------------------------------------------"
echo "Helm chart scanning complete."

Vidokezo

Kubernetes PodSecurityContext na SecurityContext

Unaweza kusanidi security context ya Pods (kwa PodSecurityContext) na ya containers zitakazotekelezwa (kwa SecurityContext). Kwa habari zaidi soma:

Kubernetes SecurityContext(s)

Kubernetes API Uimarishaji

Ni muhimu sana kulinda ufikiaji wa Kubernetes Api Server kwani muovu mwenye vibali vya kutosha anaweza kuitumia vibaya na kuharibu mazingira kwa njia nyingi.
Ni muhimu kuhakikisha usalama wa zote mbili: access (whitelist origins to access the API Server and deny any other connection) na the authentication (kwa kufuata kanuni ya least privilege). Na hakika kamwe usiruhusu anonymous requests.

Mchakato wa ombi wa kawaida:
User or K8s ServiceAccount –> Authentication –> Authorization –> Admission Control.

Vidokezo:

Funga ports.
Epuka Anonymous access.
NodeRestriction; Hakuna ufikiaji kutoka nodes maalum kwa API.
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction
Inamaanisha inazuia kubelets kuongeza/kuondoa/kuhariri labels zenye prefix node-restriction.kubernetes.io/. Prefix hii ya label imehifadhiwa kwa administrators kuweka lebo kwenye Node objects zao kwa ajili ya workload isolation, na kubelets hawataruhusiwa kubadilisha labels zenye prefix hiyo.
Na pia, inaruhusu kubelets kuongeza/kuondoa/kuhariri lebo hizi na prefixes za lebo.
Tumia labels kuhakikisha secure workload isolation.
Zuia pods maalum kupata API.
Epuka ApiServer exposure kwenye internet.
Epuka ufikiaji usioidhinishwa kwa RBAC.
ApiServer port iwe chini ya firewall na IP whitelisting.

SecurityContext Uimarishaji

Kwa default mtumiaji root atatumika wakati Pod inapoanzishwa ikiwa hakuna user mwingine aliyebainishwa. Unaweza kuendesha application yako ndani ya muktadha wa usalama zaidi kwa kutumia template inayofanana na ifuatayo:

apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
runAsNonRoot: true
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: true

Uimarishaji wa Jumla

Unapaswa kusasisha mazingira yako ya Kubernetes mara kwa mara kadri inavyohitajika ili kuwa na:

Mategemeo yakiwa ya sasa.
Marekebisho ya bug na usalama.

Release cycles: Kila miezi 3 kuna toleo dogo jipya – 1.20.3 = 1(Major).20(Minor).3(patch)

Njia bora ya kusasisha Kubernetes Cluster ni (kutoka here):

Sasisha vipengele vya Master Node kwa kufuata mpangilio huu:
etcd (all instances).
kube-apiserver (all control plane hosts).
kube-controller-manager.
kube-scheduler.
cloud controller manager, if you use one.
Sasisha vipengele vya Worker Node kama kube-proxy, kubelet.

Ufuatiliaji na usalama wa Kubernetes:

Kyverno Policy Engine
Cilium Tetragon - eBPF-based uchunguzi wa usalama na utekelezaji wa wakati wa kukimbia
Sera za Usalama wa Mtandao
Falco - ufuatiliaji wa usalama wa wakati wa kukimbia na utambuzi

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.