Task weight: 8%
Use context: kubectl config use-context restricted@infra-prod
You're asked to investigate a possible permission escape in Namespace restricted. The context authenticates as user restricted which has only limited permissions and shouldn't be able to read Secret values.
Try to find the password-key values of the Secrets secret1, secret2 and secret3 in Namespace restricted. Write the decoded plaintext values into files /opt/course/12/secret1, /opt/course/12/secret2 and /opt/course/12/secret3.
译文
任务权重: 8%
使用上下文: kubectl config use-context restricted@infra-prod
你被要求调查 Namespace restricted 中可能存在的权限逃逸问题。该上下文以用户 restricted 身份进行认证,该用户只有有限的权限,不应该读取 Secret 值。
试着在名字空间 restricted 中找到 secret1、secret2 和 secret3 的密码-密钥值。将解码后的明文值写入文件 /opt/course/12/secret1、/opt/course/12/secret2 和 /opt/course/12/secret3 中。
解答:
列出所有
k -n restricted get all
查看pod1 发现挂载路径有secret
k -n restricted describe pod pod1-5cbc4bfd57-sl42h
k -n restricted exec pod1-5cbc4bfd57-sl42h -- ls /etc/secret-volume/
k -n restricted exec pod1-5cbc4bfd57-sl42h -- cat /etc/secret-volume/password
k -n restricted exec pod1-5cbc4bfd57-sl42h -- cat /etc/secret-volume/password > /opt/course/12/secret1
查找pod2 的secret
k -n restricted describe pod pod2-7d85f59c98-zqtbl
k -n restricted exec pod2-7d85f59c98-zqtbl -- env
echo an-amazing > /opt/course/12/secret2
查找pod3 secret
k -n restricted describe pod pod3-5c577bbf8d-hghrs
进入到容器中检查下
k -n restricted exec -it pod3-5c577bbf8d-hghrs -- sh
ls /var/run/secrets/kubernetes.io/serviceaccount
使用token获取secret
curl https://kubernetes.default/api/v1/namespaces/restricted/secrets -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -k
echo cEVuRXRSYVRpT24tdEVzVGVSCg== | base64 -d > /opt/course/12/secret3