search

aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Apache License 2.0
4.66k stars 579 forks source link

kube-public information disclosure hunter #449

Open raesene opened 3 years ago

raesene commented 3 years ago

What would you like to be added

In default kubeadm clusters (and probably others) there is a default namespace created called kube-public which is intended for public information. There is a configmap in that namespace called cluster-info which contains the TLS certificate of the API server.

Sample curl request to retrieve it

curl -k https://[IP]:6443/api/v1/namespaces/kube-public/configmaps/cluster-info

A handy fingerprinting hunter (e.g. when scanning a network) would be to get this URL and extract the CN and Issuer fields

Why is this needed

Could make a useful addition for fingerprinting clusters.

danielsagi commented 3 years ago

Looks really cool. are there another publicly accessible resources from there we could scan? do you want to take the development of this on you?

raesene commented 3 years ago

It'll depend on the exact Kubernetes distribution in use. for a modern version of kubeadm, these paths are likely to be visible

  - /healthz
  - /livez
  - /readyz
  - /version
  - /version/

As to development, python is not a language I'm super familiar with, so if someone else has time to take it on, that'll be cool. I can have a look but it's unlikely to be soon :)