目录

什么是RBAC

K8S中的RBAC

角色

角色绑定

主体(subject)

角色(Role和ClusterRole)

集群内置权限

cluster-admin admin edit view权限

system开头的用户

serviceaccount

 演示

审计

armosec

​编辑

armosec的who-can列表 

取消自动挂载

审计规则

参考

k8s集群相关所有的交互都通过apiserver来完成,对于这样集中式管理的系统来说,权限管理尤其重要,在1.5版的时候引入了RBAC(Role Base Access Control)的权限控制机制

启用RBAC,需要在 apiserver 中添加参数–authorization-mode=RBAC,如果使用的kubeadm安装的集群,1.6+版本都默认开启了RBAC。

所以基本上现在遇到的,都会是RBAC方式校验权限,而权限则是我们对于攻击的一大重点,权限提升,绕过,窃取凭证。

这篇文章主要讲k8s中rbac鉴权,如果想了解更多的K8S中的鉴权方案,可以看Kubernetes 认证 _ Kubernetes(K8S)中文文档_Kubernetes中文社区

什么是RBAC

简单就如下所示,给谁分配什么权限,这是大家经常在后台管理系统遇到的

在这里插入图片描述

K8S中的RBAC

简单来说,RBAC如下所示,对于kubectl使用普通用户来访问,而对于K8s就如下所示,在pod内,也就是容器内访问使用serviceaccount,而在主机节点使用普通用户,这就是我们的主体,也就是上列的张三,李四

那么在k8s中,如何进行上述的动作呢,就是通过下列方式,定义一个角色,然后绑定对应权限,之后通过角色绑定到对应主体,即完成了对应的权限赋值,在k8s中是通过下列三类方式操作的

角色(subjects)

Role:授权特定命名空间的权限
ClusterRole:授权所有命名空间的权限


角色绑定

绑定的对象可以是groups,user,serviceaccount,既可以把一个权限赋予到上述组,用户,服务账户,具体可以看Using RBAC Authorization | Kubernetes

RoleBinding:将角色绑定到主体(即subject)
ClusterRoleBinding:将集群角色绑定到主体


主体(subject)

User:用户
Group:用户组
ServiceAccount:服务账号
 

角色(Role和ClusterRole)

角色可以有Role和ClusterRole,Role仅仅作用于单个命名空间,而ClusterRole可以作用于全局。

可以通过下列yaml来配置一个Role,这个角色具有pod的查看权限

cat >Role-001.yaml<<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-role
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
EOF
$ kubectl apply -f Role-001.yaml
$ kubectl get role -n default
$ kubectl describe role pod-role -n default

可以通过下列yaml来配置一个集群角色

cat >ClusterRole-001.yaml<<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-clusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
EOF
$ kubectl apply -f ClusterRole-001.yaml
$ kubectl get clusterrole pod-clusterrole
$ kubectl describe clusterrole pod-clusterrole

其中

verb有如下设置

“get”, “list”, “watch”, “create”, “update”, “patch”, “delete”, “exec”

resource有如下设置

“services”, “endpoints”, “pods”,“secrets”,“configmaps”,“crontabs”,“deployments”,“jobs”,“nodes”,“rolebindings”,“clusterroles”,“daemonsets”,“replicasets”,“statefulsets”,“horizontalpodautoscalers”,“replicationcontrollers”,“cronjobs”

apiGroup有如下设置

“”,“apps”, “autoscaling”, “batch”

集群内置权限

cluster-admin admin edit view权限

kubectl get clusterrole
  • cluster-admin  超级管理员,对集群所有权限,和linux下面root一样(在部署dashboard的时候,先创建sa,然后将sa绑定到角色cluster-admin,最后获取到token,这就使用了内置的cluster-admin )
  • admin   主要用于授权命名空间所有读写权限(针对于某个命名空间)
  • edit   允许对命名空间大多数对象读写操作,不允许查看或者修改角色、角色绑定。
  • view 允许对命名空间大多数对象只读权限,不允许查看角色、角色绑定和Secret
     

system开头的用户

以system开头的用户都为k8s内置用户,

serviceaccount

可以自己绑定一个Role,但是这样只能获取到当前namespace下的, 不能获取全局的 

$ cat >RoleBinding-ServiceAccount-001.yaml<<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: role001
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rb001
  namespace: default
subjects:
- kind: ServiceAccount
  name: lisi
  namespace: default
roleRef:
  kind: Role
  name: role001
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: lisi
  namespace: default
EOF

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role001
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rb001
  namespace: default
subjects:
- kind: ServiceAccount
  name: lisi
  namespace: default
roleRef:
  kind: ClusterRole
  name: role001
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: lisi
  namespace: default

或者通过上述的方式来进行获取,也是一种方法 ,如果部署在指定ns,则用下列yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role001
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rb001
  namespace: default
subjects:
- kind: ServiceAccount
  name: lisi
  namespace: sectest
roleRef:
  kind: ClusterRole
  name: role001
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: lisi
  namespace: sectest

 演示

以能够创建pod的权限来演示

下列直接将admin绑定到了默认挂载到serviceaccount 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: default-admin-cluster
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

审计

armosec

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
kubescape scan --server api.armosec.io --account XXXXXXXXX

┌──────────┬─────────────────────────────────────────────────┬──────────────────┬───────────────┬────────────────────┐
│ SEVERITY │                  CONTROL NAME                   │ FAILED RESOURCES │ ALL RESOURCES │ % COMPLIANCE-SCORE │
├──────────┼─────────────────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│ Critical │ Disable anonymous access to Kubelet service     │        0         │       0       │ Action Required ** │
│ Critical │ Enforce Kubelet client TLS authentication       │        0         │       0       │ Action Required ** │
│ High     │ Forbidden Container Registries                  │        0         │       7       │ Action Required *  │
│ High     │ Resources memory limit and request              │        1         │       7       │        86%         │
│ High     │ Resource limits                                 │        1         │       7       │        86%         │
│ High     │ Applications credentials in configuration files │        1         │      19       │        95%         │
│ High     │ HostNetwork access                              │        1         │       7       │        86%         │
│ High     │ Writable hostPath mount                         │        1         │       7       │        86%         │
│ High     │ Insecure capabilities                           │        1         │       7       │        86%         │
│ High     │ HostPath mount                                  │        1         │       7       │        86%         │
│ High     │ Resources CPU limit and request                 │        1         │       7       │        86%         │
│ Medium   │ Non-root containers                             │        1         │       7       │        86%         │
│ Medium   │ Allow privilege escalation                      │        1         │       7       │        86%         │
│ Medium   │ Ingress and Egress blocked                      │        1         │       7       │        86%         │
│ Medium   │ Automatic mapping of service account            │        2         │      47       │        96%         │
│ Medium   │ Access container service account                │        1         │      43       │        98%         │
│ Medium   │ Cluster internal networking                     │        1         │       5       │        80%         │
│ Medium   │ Linux hardening                                 │        1         │       7       │        86%         │
│ Medium   │ Configured liveness probe                       │        1         │       7       │        86%         │
│ Medium   │ Secret/ETCD encryption enabled                  │        1         │       1       │         0%         │
│ Medium   │ Audit logs enabled                              │        1         │       1       │         0%         │
│ Medium   │ Images from allowed registry                    │        0         │       7       │ Action Required *  │
│ Medium   │ CVE-2022-0492-cgroups-container-escape          │        1         │       7       │        86%         │
│ Medium   │ Anonymous access enabled                        │        3         │      62       │        95%         │
│ Low      │ Immutable container filesystem                  │        1         │       7       │        86%         │
│ Low      │ Configured readiness probe                      │        1         │       7       │        86%         │
│ Low      │ Network mapping                                 │        1         │       5       │        80%         │
│ Low      │ PSP enabled                                     │        1         │       1       │         0%         │
│ Low      │ K8s common labels usage                         │        1         │       7       │        86%         │
├──────────┼─────────────────────────────────────────────────┼──────────────────┼───────────────┼────────────────────┤
│          │                RESOURCE SUMMARY                 │        9         │      196      │       84.11%       │
└──────────┴─────────────────────────────────────────────────┴──────────────────┴───────────────┴────────────────────┘

armosec的who-can列表 

persistentvolumes
persistentvolumeclaims/status
persistentvolumeclaims
storageclasses
endpoints
services
secrets
events
replicationcontrollers
replicationcontrollers/status
replicationcontrollers/finalizers
pods
configmaps
deployments
replicasets
poddisruptionbudgets
statefulsets
poddisruptionbudgets/status
*/scale
signers
replicasets/status
replicasets/finalizers
daemonsets
daemonsets/status
daemonsets/finalizers
nodes
pods/binding
controllerrevisions
clusterroles
nodes/status
volumeattachments
csidrivers
csinodes
services/status
horizontalpodautoscalers
horizontalpodautoscalers/status
services/proxy
*
jobs
pods/finalizers
namespaces
tokenreviews
localsubjectaccessreviews
subjectaccessreviews
pods/status
pods/eviction
certificatesigningrequests
leases
serviceaccounts/token
runtimeclasses
endpoints/restricted
persistentvolumes/status
clustercidrs
pods/attach
pods/exec
pods/portforward
pods/proxy
serviceaccounts
replicationcontrollers/scale
deployments/rollback
deployments/scale
replicasets/scale
statefulsets/scale
cronjobs
ingresses
networkpolicies
bindings
limitranges
namespaces/status
pods/log
resourcequotas
resourcequotas/status
endpointslices
deployments/status
statefulsets/status
cronjobs/status
jobs/status
ingresses/status
rolebindings
roles
certificatesigningrequests/nodeclient
jobs/finalizers
selfsubjectaccessreviews
selfsubjectrulesreviews
certificatesigningrequests/approval
certificatesigningrequests/status
csistoragecapacities
services/finalizers
certificatesigningrequests/selfnodeclient
cronjobs/finalizers
deployments/finalizers
nodes/log
nodes/metrics
nodes/proxy
nodes/spec
nodes/stats
statefulsets/finalizers
namespaces/finalize
endpoints/finalizers

取消自动挂载

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
automountServiceAccountToken: false

或者在pod中定义也可以 

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: build-robot
  automountServiceAccountToken: false
  ...

审计规则

https://github.com/PaloAltoNetworks/rbac-police/tree/main/lib

https://github.com/appvia/krane/blob/master/config/rules.yaml

https://github.com/alcideio/rbac-tool/blob/master/pkg/analysis/default-rules.yaml

攻击横向技巧

        通过get secret -> clusterrle-agregation-controller-token获得最大权限

枚举serviceaccount命令

for mydir in $(find /var/lib/kubelet/pods -name namespace -exec dirname {} \;); do
  echo "Checking $mydir"
  export cert=$mydir/ca.crt
  export token=$mydir/token
  export namespace=$mydir/namespace
  export apiserver=$(netstat -n | grep 6443 | awk '{ print $5 }' | uniq)
  echo "$cert $namespace $token $apiserver"
  kubectl --certificate-authority=$cert --token=$(cat $token) --namespace=$(cat $namespace) --server=https://$apiserver auth can-i --list
done

参考

k8s之service account_serviceaccount_分享放大价值的博客-CSDN博客

九析帶你用 curl 輕鬆完爆 k8s apiserver - JavaShuo

kubernetes 开发必须要知道的知识点—— API Group_k8s apigroups_random_w的博客-CSDN博客

云原生之 Kubernetes 安全 (seebug.org)

Configure Service Accounts for Pods | Kubernetes

Kubernetes 权限管理 下 实战 - 知乎

GitHub - alcideio/rbac-tool: Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query

GitHub - cyberark/KubiScan: A tool to scan Kubernetes cluster for risky permissions

GitHub - appvia/krane: Kubernetes RBAC static analysis & visualisation tool

GitHub - aquasecurity/kubectl-who-can: Show who has RBAC permissions to perform actions on different resources in Kubernetes

总结:kubectl之kubeconfig配置_kubectl指定config_小魏的博客的博客-CSDN博客

GitHub - PaloAltoNetworks/rbac-police: Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

Kubernetes RBAC 内置集群角色ClusterRole_51CTO博客_kubernetes rbac

https://github.com/controlplaneio/badrobot

Using RBAC Authorization | Kubernetes

GitHub - cyberark/KubiScan: A tool to scan Kubernetes cluster for risky permissions

Kubernetes Azure detect RBAC authorization by account - Splunk Security Content

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms

https://www.youtube.com/watch?v=HmoVSmTIOxM&t=702sEscalating Away

Simplify Kubernetes Resource Access Control using RBAC Impersonation

# 网络安全
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes