Skip to content

Exploit: k8s shadow apiserver

cdxy edited this page Jan 20, 2021 · 2 revisions

Deploy a shadow apiserver with the same configurations with a current kube-apiserver pod in namespace kube-system. The shadow apiserver receive anonymous request and execute all k8s actions with none audit log, use it to control K8s cluster and perform further attacks.

部署一个shadow apiserver,该apiserver具有和集群中现存的apiserver一致的功能,同时开启了全部K8s管理权限,接受匿名请求且不保存审计日志。便于攻击者无痕迹的管理整个集群以及下发后续渗透行动。

Usage

./cdk run k8s-shadow-apiserver (default|anonymous|<service-account-token-path>)

Request Options:
default: connect API server with pod's default service account token
anonymous: connect API server with user system:anonymous
<service-account-token-path>: connect API server with user-specified service account token.

Example

Deploy a shadow apiserver in cluster.

./cdk run k8s-shadow-apiserver default

png

Clone this wiki locally