search

K8S

Some useful command during a Kubernetes engagement.

Check which Pods have seccomp disabled

kubectl get pods -A -o json | jq -r '.items[] |{namespace: .metadata.namespace,name: .metadata.name,seccomp: (.spec.securityContext.seccompProfile.type // .metadata.annotations["seccomp.security.alpha.kubernetes.io/pod"] // "not set")}'

Check which Pods have allowPrivilegeEscalation enabled

kubectl get pods -A -o json | jq -r '.items[] as $pod |$pod.spec.containers[]? as $c |"\($pod.metadata.name)\t\($c.name)\t\($c.securityContext.allowPrivilegeEscalation // "not set (defaults to true)")"'

Check which Pods have a writable root filesystem

kubectl get pods -A -o json | jq -r '.items[] |select(any(.spec.containers[]?; .securityContext.readOnlyRootFilesystem != true)) |"\(.metadata.namespace)\t\(.metadata.name)"'

Check which Pods run privileged

kubectl get pods -A -o json | jq -r '.items[] as $pod|$pod.spec.containers[]? as $c|select($c.securityContext.privileged == true)|"\($pod.metadata.namespace)\t\($pod.metadata.name)\t\($c.name)"'

Check if any network policies have been defined

kubectl get networkpolicies -A

Check if Encryption at Rest is enabled

# First gather API servers
kubectl get pods -A -l component=kube-apiserver

# Check for each returned Pod if it outputs anything
kubectl -n kube-system get pod <POD_NAME> -o json | jq -r '.spec.containers[0].command[]' | grep encryption-provider-config

YAML manifest to mount filesystem of a random node

apiVersion: v1 
kind: Pod 
metadata: 
  name: pentest 
spec: 
  containers: 
    - name: pentest 
      image: ubuntu:latest 
      command: ["/bin/sh", "-c", "sleep 3600"] 
      volumeMounts: 
        - mountPath: /host-root 
          name: root-mount 
  volumes: 
    - name: root-mount 
      hostPath: 
        path: / 
        type: Directory

Control plane node compromise YAML file

Control plane node compromise

PreviousXSSNextReferences

Last updated