Open micahhausler opened 3 months ago
Thanks a lot for the great suggestions! Do you have any thoughts on exploitation/usage in the wild (whether by attackers or pentesters) that would be helpful for prioritization?
I don't have any data on usage, but in terms of accessibility to an attacker, changing an aud
on a TokenRequest by a kubelet is the greatest current risk as the kubelet can legitimately specify whatever aud
it wants.
There are other publicly known attack methods in Kubernetes, would be great to see documented and automated.
Cred Access:
POST /api/v1/namespaces/$NS/serviceaccounts/$SA/token
with a cloud-provider scoped audience. This can be done if the kubelet's API credential is accessed for pods assigned to itPersistence:
successfulJobsHistoryLimit
andfailedJobsHistoryLimit
of 0 to delete the pod after running so it doesn't show up as an exited pod after completion.imagePullPolicy: IfNotPresent
, pull a malicious image to a host and re-tag it as the victim image name/tagDefense Evasion: