mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-07-03 19:35:13 -07:00
Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az
This commit is contained in:
+46
-58
@@ -1,95 +1,87 @@
|
||||
# Kubernetes ValidatingWebhookConfiguration
|
||||
|
||||
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
**Originalni autor ove stranice je** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
|
||||
|
||||
## Definition
|
||||
## Definicija
|
||||
|
||||
ValidatingWebhookConfiguration is a Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
|
||||
ValidatingWebhookConfiguration je Kubernetes resurs koji definiše validirajući webhook, koji je komponenta na serverskoj strani koja validira dolazne Kubernetes API zahteve prema skupu unapred definisanih pravila i ograničenja.
|
||||
|
||||
## Purpose
|
||||
## Svrha
|
||||
|
||||
The purpose of a ValidatingWebhookConfiguration is to define a validating webhook that will enforce a set of predefined rules and constraints on incoming Kubernetes API requests. The webhook will validate the requests against the rules and constraints defined in the configuration, and will return an error if the request does not conform to the rules.
|
||||
Svrha ValidatingWebhookConfiguration je da definiše validirajući webhook koji će sprovoditi skup unapred definisanih pravila i ograničenja na dolazne Kubernetes API zahteve. Webhook će validirati zahteve prema pravilima i ograničenjima definisanim u konfiguraciji, i vratiće grešku ako zahtev ne odgovara pravilima.
|
||||
|
||||
**Example**
|
||||
|
||||
Here is an example of a ValidatingWebhookConfiguration:
|
||||
**Primer**
|
||||
|
||||
Evo primera ValidatingWebhookConfiguration:
|
||||
```yaml
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: example-validation-webhook
|
||||
namespace: default
|
||||
name: example-validation-webhook
|
||||
namespace: default
|
||||
webhook:
|
||||
name: example-validation-webhook
|
||||
clientConfig:
|
||||
url: https://example.com/webhook
|
||||
serviceAccountName: example-service-account
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
apiVersions:
|
||||
- "*"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- pods
|
||||
name: example-validation-webhook
|
||||
clientConfig:
|
||||
url: https://example.com/webhook
|
||||
serviceAccountName: example-service-account
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
apiVersions:
|
||||
- "*"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- pods
|
||||
```
|
||||
|
||||
The main difference between a ValidatingWebhookConfiguration and policies : 
|
||||
Glavna razlika između ValidatingWebhookConfiguration i politika : 
|
||||
|
||||
<figure><img src="../../images/Kyverno.png" alt=""><figcaption><p>Kyverno.png</p></figcaption></figure>
|
||||
|
||||
- **ValidatingWebhookConfiguration (VWC)** : A Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
|
||||
- **Kyverno ClusterPolicy**: A policy definition that specifies a set of rules and constraints for validating and enforcing Kubernetes resources, such as pods, deployments, and services
|
||||
- **ValidatingWebhookConfiguration (VWC)** : Kubernetes resurs koji definiše validirajući webhook, što je komponenta na serverskoj strani koja validira dolazne Kubernetes API zahteve prema skupu unapred definisanih pravila i ograničenja.
|
||||
- **Kyverno ClusterPolicy**: Definicija politike koja specificira skup pravila i ograničenja za validaciju i sprovođenje Kubernetes resursa, kao što su podovi, implementacije i servisi
|
||||
|
||||
## Enumeration
|
||||
|
||||
```
|
||||
$ kubectl get ValidatingWebhookConfiguration
|
||||
```
|
||||
### Zloupotreba Kyverno i Gatekeeper VWC
|
||||
|
||||
### Abusing Kyverno and Gatekeeper VWC
|
||||
Kao što možemo videti, svi instalirani operatori imaju barem jednu ValidatingWebHookConfiguration (VWC).
|
||||
|
||||
As we can see all operators installed have at least one ValidatingWebHookConfiguration(VWC).
|
||||
**Kyverno** i **Gatekeeper** su oba Kubernetes policy engine-a koji pružaju okvir za definisanje i sprovođenje politika širom klastera.
|
||||
|
||||
**Kyverno** and **Gatekeeper** are both Kubernetes policy engines that provide a framework for defining and enforcing policies across a cluster.
|
||||
Izuzeci se odnose na specifična pravila ili uslove koji omogućavaju da se politika zaobiđe ili izmeni pod određenim okolnostima, ali to nije jedini način!
|
||||
|
||||
Exceptions refer to specific rules or conditions that allow a policy to be bypassed or modified under certain circumstances but this is not the only way !
|
||||
Za **kyverno**, kada postoji validirajuća politika, webhook `kyverno-resource-validating-webhook-cfg` se popunjava.
|
||||
|
||||
For **kyverno**, as you as there is a validating policy, the webhook `kyverno-resource-validating-webhook-cfg` is populated.
|
||||
Za Gatekeeper, postoji `gatekeeper-validating-webhook-configuration` YAML datoteka.
|
||||
|
||||
For Gatekeeper, there is `gatekeeper-validating-webhook-configuration` YAML file.
|
||||
|
||||
Both come from with default values but the Administrator teams might updated those 2 files.
|
||||
|
||||
### Use Case
|
||||
Oba dolaze sa podrazumevanim vrednostima, ali timovi administratora mogu ažurirati te 2 datoteke.
|
||||
|
||||
### Upotreba slučaja
|
||||
```bash
|
||||
$ kubectl get validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg -o yaml
|
||||
```
|
||||
|
||||
Now, identify the following output :
|
||||
|
||||
Sada identifikujte sledeći izlaz:
|
||||
```yaml
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/metadata.name
|
||||
operator: NotIn
|
||||
values:
|
||||
- default
|
||||
- TEST
|
||||
- YOYO
|
||||
- kube-system
|
||||
- MYAPP
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/metadata.name
|
||||
operator: NotIn
|
||||
values:
|
||||
- default
|
||||
- TEST
|
||||
- YOYO
|
||||
- kube-system
|
||||
- MYAPP
|
||||
```
|
||||
|
||||
Here, `kubernetes.io/metadata.name` label refers to the namespace name. Namespaces with names in the `values` list will be excluded from the policy :
|
||||
|
||||
Check namespaces existence. Sometimes, due to automation or misconfiguration, some namespaces might have not been created. If you have permission to create namespace, you could create a namespace with a name in the `values` list and policies won't apply your new namespace.
|
||||
Proverite postojanje prostora imena. Ponekad, zbog automatizacije ili pogrešne konfiguracije, neki prostori imena možda nisu kreirani. Ako imate dozvolu da kreirate prostor imena, možete kreirati prostor imena sa imenom iz `values` liste i politike se neće primenjivati na vaš novi prostor imena.
|
||||
|
||||
The goal of this attack is to exploit **misconfiguration** inside VWC in order to bypass operators restrictions and then elevate your privileges with other techniques
|
||||
Cilj ovog napada je da iskoristi **pogrešnu konfiguraciju** unutar VWC kako bi zaobišao ograničenja operatera i zatim povećao svoje privilegije drugim tehnikama
|
||||
|
||||
{{#ref}}
|
||||
abusing-roles-clusterroles-in-kubernetes/
|
||||
@@ -100,7 +92,3 @@ abusing-roles-clusterroles-in-kubernetes/
|
||||
- [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
|
||||
- [https://kyverno.io/](https://kyverno.io/)
|
||||
- [https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user