coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
523c520256
hacktricks/pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md

207 lines
10 KiB
Markdown
Raw Normal View History

Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
fix mess 2
2022-05-01 12:49:36 +00:00
# Role-Based Access Control (RBAC)
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
Kubernetes has an **authorization module named Role-Based Access Control** ([**RBAC**](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)) that helps to set utilization permissions to the API server.
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
RBACs permission model is built from **three individual parts**:
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
1. **Role\ClusterRole ­** The actual permission. It contains _**rules**_ that represent a set of permissions. Each rule contains [resources](https://kubernetes.io/docs/reference/kubectl/overview/#resource-types) and [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb). The verb is the action that will apply on the resource.
2. **Subject (User, Group or ServiceAccount) ** The object that will receive the permissions.
3. **RoleBinding\ClusterRoleBinding ** The connection between Role\ClusterRole and the subject.
![](https://www.cyberark.com/wp-content/uploads/2018/12/rolebiding\_serviceaccount\_and\_role-1024x551.png)
The difference between “**Roles**” and “**ClusterRoles**” is just where the role will be applied a “**Role**” will grant access to only **one** **specific** **namespace**, while a “**ClusterRole**” can be used in **all namespaces** in the cluster. Moreover, **ClusterRoles** can also grant access to:
* **cluster-scoped** resources (like nodes).
* **non-resource** endpoints (like /healthz).
* namespaced resources (like Pods), **across all namespaces**.
remove ****
2022-01-31 14:51:03 +00:00
From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**. But to enable RBAC you can use something like:
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
```
kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
```
fix mess 2
2022-05-01 12:49:36 +00:00
# Templates
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
In the template of a **Role** or a **ClusterRole** you will need to indicate the **name of the role**, the **namespace** (in roles) and then the **apiGroups**, **resources** and **verbs** of the role:
GitBook: [#2931] No subject
2022-01-06 01:16:41 +00:00
* The **apiGroups** is an array that contains the different **API namespaces** that this rule applies to. For example, a Pod definition uses apiVersion: v1. _It can has values such as rbac.authorization.k8s.io or \[\*]_.
* The **resources** is an array that defines **which resources this rule applies to**. You can find all the resources with: `kubectl api-resources --namespaced=true`
* The **verbs** is an array that contains the **allowed verbs**. The verb in Kubernetes defines the **type of action** you need to apply to the resource. For example, the list verb is used against collections while "get" is used against a single resource.
fix mess 2
2022-05-01 12:49:36 +00:00
## Rules Verbs
GitBook: [#2931] No subject
2022-01-06 01:16:41 +00:00
(_This info was taken from_ [_**here**_](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb))
| HTTP verb | request verb |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| POST | create |
| GET, HEAD | get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources) |
| PUT | update |
| PATCH | patch |
| DELETE | delete (for individual resources), deletecollection (for collections) |
Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:
* [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
* `use` verb on `podsecuritypolicies` resources in the `policy` API group.
* [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)
* `bind` and `escalate` verbs on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
* [Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
* `impersonate` verb on `users`, `groups`, and `serviceaccounts` in the core API group, and the `userextras` in the `authentication.k8s.io` API group.
GitBook: [#2935] No subject
2022-01-10 00:02:55 +00:00
{% hint style="warning" %}
You can find **all the verbs that each resource support** executing `kubectl api-resources --sort-by name -o wide`
{% endhint %}
fix mess 2
2022-05-01 12:49:36 +00:00
## Examples
GitBook: [#2931] No subject
2022-01-06 01:16:41 +00:00
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% code title="Role" %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: defaultGreen
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
```
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% endcode %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% code title="ClusterRole" %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
```
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% endcode %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
For example you can use a **ClusterRole** to allow a particular user to run:
```
kubectl get pods --all-namespaces
```
fix mess 2
2022-05-01 12:49:36 +00:00
## **RoleBinding and ClusterRoleBinding**
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
A **role binding** **grants the permissions defined in a role to a user or set of users**. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A **RoleBinding** grants permissions within a specific **namespace** whereas a **ClusterRoleBinding** grants that access **cluster-wide**.
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% code title="" %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
```yaml
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
piVersion: rbac.authorization.k8s.io/v1
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
```
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% endcode %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% code title="ClusterRoleBinding" %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
```yaml
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
```
GitBook: [#2936] No subject
2022-01-10 00:55:30 +00:00
{% endcode %}
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
**Permissions are additive** so if you have a clusterRole with “list” and “delete” secrets you can add it with a Role with “get”. So be aware and test always your roles and permissions and **specify what is ALLOWED, because everything is DENIED by default.**
fix mess 2
2022-05-01 12:49:36 +00:00
# **Enumerating RBAC**
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
```bash
# Get current privileges
kubectl auth can-i --list
fix mess 2
2022-05-01 12:49:36 +00:00
# use `--as=system:serviceaccount:<namespace>:<sa_name>` to impersonate a service account
GitBook: [#2907] No subject
2021-12-22 15:22:43 +00:00
# List Cluster Roles
kubectl get clusterroles
kubectl describe clusterroles
# List Cluster Roles Bindings
kubectl get clusterrolebindings
kubectl describe clusterrolebindings
# List Roles
kubectl get roles
kubectl describe roles
# List Roles Bindings
kubectl get rolebindings
kubectl describe rolebindings
```
GitBook: [#2937] No subject
2022-01-10 00:57:48 +00:00
fix mess 2
2022-05-01 12:49:36 +00:00
## Abuse Role/ClusterRoles for Privilege Escalation
GitBook: [#2937] No subject
2022-01-10 00:57:48 +00:00
GitBook: [#3012] No subject
2022-02-16 09:28:48 +00:00
{% content-ref url="../../cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/" %}
[abusing-roles-clusterroles-in-kubernetes](../../cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/)
GitBook: [#2937] No subject
2022-01-10 00:57:48 +00:00
{% endcontent-ref %}
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
Reference in New Issue Copy Permalink