Solve this question on: ssh cks3477
Namespace security contains five Secrets of type Opaque which can be considered highly confidential. The latest Incident-Prevention-Investigation revealed that ServiceAccount p.auster had too broad access to the cluster for some time. This SA should never had access to any Secrets in that Namespace.
Tasks:
Note: You can use jq to render json more readable, like
cat data.json | jq
First, let's list the Opaque Secrets in the security namespace:
➜ ssh cks3477
➜ candidate@cks3477:~# k -n security get secret | grep Opaque
kubeadmin-token Opaque 1 37m
mysql-admin Opaque 1 37m
postgres001 Opaque 1 37m
postgres002 Opaque 1 37m
vault-token Opaque 1 37mNavigate to the audit log directory and check its size:
➜ candidate@cks3477:~# cd /opt/course/p2
➜ candidate@cks3477:/opt/course/p2$ ls -lh
audit.log
➜ candidate@cks3477:/opt/course/p2$ cat audit.log | wc -l
4448Filter logs for ServiceAccount p.auster:
➜ candidate@cks3477:/opt/course/p2$ cat audit.log | grep "p.auster" | wc -l
28
➜ candidate@cks3477:/opt/course/p2$ cat audit.log | grep "p.auster" | grep Secret | wc -l
2Check for specific actions:
➜ candidate@cks3477:/opt/course/p2$ cat audit.log | grep "p.auster" | grep Secret | grep list | wc -l
0
➜ candidate@cks3477:/opt/course/p2$ cat audit.log | grep "p.auster" | grep Secret | grep get | wc -l
2Examine the specific Secret access events:
cat audit.log | grep "p.auster" | grep Secret | grep get | jq
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "RequestResponse",
"auditID": "74fd9e03-abea-4df1-b3d0-9cfeff9ad97a",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/security/secrets/vault-token",
"verb": "get",
"user": {
"username": "system:serviceaccount:security:p.auster",
"uid": "29ecb107-c0e8-4f2d-816a-b16f4391999c",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:security",
"system:authenticated"
]
},
"objectRef": {
"resource": "secrets",
"namespace": "security",
"name": "vault-token",
"apiVersion": "v1"
}
}
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "RequestResponse",
"auditID": "aed6caf9-5af0-4872-8f09-ad55974bb5e0",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/security/secrets/mysql-admin",
"verb": "get",
"user": {
"username": "system:serviceaccount:security:p.auster",
"uid": "29ecb107-c0e8-4f2d-816a-b16f4391999c",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:security",
"system:authenticated"
]
},
"objectRef": {
"resource": "secrets",
"namespace": "security",
"name": "mysql-admin",
"apiVersion": "v1"
}
}Generate new base64-encoded passwords:
➜ candidate@cks3477:/opt/course/p2$ echo -n new-vault-pass | base64
bmV3LXZhdWx0LXBhc3M=
➜ candidate@cks3477:/opt/course/p2$ echo -n new-mysql-pass | base64
bmV3LW15c3FsLXBhc3M=Update the compromised Secrets:
➜ candidate@cks3477:/opt/course/p2$ k -n security edit secret vault-token
➜ candidate@cks3477:/opt/course/p2$ k -n security edit secret mysql-admin