gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 15:05:44 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
View File

@@ -1,106 +1,94 @@
# Kubernetes ValidatingWebhookConfiguration
**The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
**Die oorspronklike skrywer van hierdie bladsy is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
## Definition
## Definisie
ValidatingWebhookConfiguration is a Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
ValidatingWebhookConfiguration is 'n Kubernetes hulpbron wat 'n validerende webhook definieer, wat 'n bediener-kant komponent is wat inkomende Kubernetes API versoeke teen 'n stel vooraf gedefinieerde reëls en beperkings valideer.
## Purpose
## Doel
The purpose of a ValidatingWebhookConfiguration is to define a validating webhook that will enforce a set of predefined rules and constraints on incoming Kubernetes API requests. The webhook will validate the requests against the rules and constraints defined in the configuration, and will return an error if the request does not conform to the rules.
Die doel van 'n ValidatingWebhookConfiguration is om 'n validerende webhook te definieer wat 'n stel vooraf gedefinieerde reëls en beperkings op inkomende Kubernetes API versoeke sal afdwing. Die webhook sal die versoeke teen die reëls en beperkings wat in die konfigurasie gedefinieer is, valideer, en sal 'n fout teruggee as die versoek nie aan die reëls voldoen nie.
**Example**
Here is an example of a ValidatingWebhookConfiguration:
**Voorbeeld**
Hier is 'n voorbeeld van 'n ValidatingWebhookConfiguration:
```yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: example-validation-webhook
namespace: default
name: example-validation-webhook
namespace: default
webhook:
name: example-validation-webhook
clientConfig:
url: https://example.com/webhook
serviceAccountName: example-service-account
rules:
- apiGroups:
- ""
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- pods
name: example-validation-webhook
clientConfig:
url: https://example.com/webhook
serviceAccountName: example-service-account
rules:
- apiGroups:
- ""
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
resources:
- pods
```
The main difference between a ValidatingWebhookConfiguration and policies : 
Die hoofverskil tussen 'n ValidatingWebhookConfiguration en beleide : 
<figure><img src="../../images/Kyverno.png" alt=""><figcaption><p>Kyverno.png</p></figcaption></figure>
- **ValidatingWebhookConfiguration (VWC)** : A Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
- **Kyverno ClusterPolicy**: A policy definition that specifies a set of rules and constraints for validating and enforcing Kubernetes resources, such as pods, deployments, and services
## Enumeration
- **ValidatingWebhookConfiguration (VWC)** : 'n Kubernetes-hulpbron wat 'n validerende webhook definieer, wat 'n bediener-kant komponent is wat inkomende Kubernetes API versoeke teen 'n stel vooraf gedefinieerde reëls en beperkings valideer.
- **Kyverno ClusterPolicy**: 'n Beleidsdefinisie wat 'n stel reëls en beperkings spesifiseer vir die validering en afdwinging van Kubernetes-hulpbronne, soos pods, ontplooiings en dienste
## Enumerasie
```
$ kubectl get ValidatingWebhookConfiguration
```
### Misbruik van Kyverno en Gatekeeper VWC
### Abusing Kyverno and Gatekeeper VWC
Soos ons kan sien, het alle geïnstalleerde operateurs ten minste een ValidatingWebHookConfiguration (VWC).
As we can see all operators installed have at least one ValidatingWebHookConfiguration(VWC).
**Kyverno** en **Gatekeeper** is albei Kubernetes-beleidmotors wat 'n raamwerk bied om beleid oor 'n kluster te definieer en af te dwing.
**Kyverno** and **Gatekeeper** are both Kubernetes policy engines that provide a framework for defining and enforcing policies across a cluster.
Uitsonderings verwys na spesifieke reëls of toestande wat 'n beleid toelaat om omseil of gewysig te word onder sekere omstandighede, maar dit is nie die enigste manier nie!
Exceptions refer to specific rules or conditions that allow a policy to be bypassed or modified under certain circumstances but this is not the only way !
Vir **kyverno**, soos daar 'n validerende beleid is, word die webhook `kyverno-resource-validating-webhook-cfg` bevolk.
For **kyverno**, as you as there is a validating policy, the webhook `kyverno-resource-validating-webhook-cfg` is populated.
Vir Gatekeeper is daar `gatekeeper-validating-webhook-configuration` YAML-lêer.
For Gatekeeper, there is `gatekeeper-validating-webhook-configuration` YAML file.
Both come from with default values but the Administrator teams might updated those 2 files.
### Use Case
Albei kom met standaardwaardes, maar die Administrateurspanne mag daardie 2 lêers opgedateer het.
### Gebruiksgeluk
```bash
$ kubectl get validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg -o yaml
```
Now, identify the following output :
Nou, identifiseer die volgende uitvoer :
```yaml
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- default
- TEST
- YOYO
- kube-system
- MYAPP
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- default
- TEST
- YOYO
- kube-system
- MYAPP
```
Hierdie, `kubernetes.io/metadata.name` etiket verwys na die naam van die namespace. Namens ruimtes met name in die `values` lys sal van die beleid uitgesluit word:
Here, `kubernetes.io/metadata.name` label refers to the namespace name. Namespaces with names in the `values` list will be excluded from the policy :
Kontroleer namespaces se bestaan. Soms, as gevolg van outomatisering of verkeerde konfigurasie, mag sommige namespaces nie geskep wees nie. As jy toestemming het om 'n namespace te skep, kan jy 'n namespace met 'n naam in die `values` lys skep en beleid sal nie op jou nuwe namespace van toepassing wees nie.
Check namespaces existence. Sometimes, due to automation or misconfiguration, some namespaces might have not been created. If you have permission to create namespace, you could create a namespace with a name in the `values` list and policies won't apply your new namespace.
The goal of this attack is to exploit **misconfiguration** inside VWC in order to bypass operators restrictions and then elevate your privileges with other techniques
Die doel van hierdie aanval is om **verkeerde konfigurasie** binne VWC te benut om operateurs se beperkings te omseil en dan jou voorregte met ander tegnieke te verhoog.
{{#ref}}
abusing-roles-clusterroles-in-kubernetes/
{{#endref}}
## References
## Verwysings
- [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
- [https://kyverno.io/](https://kyverno.io/)
- [https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)