Exploit: k8s shadow apiserver
Deploy a shadow apiserver with the same configurations with a current kube-apiserver pod in namespace kube-system. The shadow apiserver receive anonymous request and execute all k8s actions with none audit log, use it to control K8s cluster and perform further attacks.
部署一个shadow apiserver,该apiserver具有和集群中现存的apiserver一致的功能,同时开启了全部K8s管理权限,接受匿名请求且不保存审计日志。便于攻击者无痕迹的管理整个集群以及下发后续渗透行动。
- See more about shadow-apiserver attack in https://www.youtube.com/watch?v=CH7S5rE3j8w
- See more about how to use shadow-apiserver in https://www.cdxy.me/?p=839
./cdk run k8s-shadow-apiserver (default|anonymous|<service-account-token-path>)
Request Options:
default: connect API server with pod's default service account token
anonymous: connect API server with user system:anonymous
<service-account-token-path>: connect API server with user-specified service account token.
Deploy a shadow apiserver in cluster.
./cdk run k8s-shadow-apiserver default
