Knock-knockin’ on kubelet’s door. From the doormat to full node access.

Image for post
Image for post

Through this article, we will see a Proof of Concept on how to:

  • Find public unauthenticated kubelet APIs.
  • Use kubelet API to do remote code execution on containers.
  • Gain an interactive shell on a container running inside a node.
  • Explore credentials and access the API Server from inside, with cluster-admin privileges.
  • Spawn a privileged container and escape to the node host.

Table of Contents

· Introduction · Kubelet API ∘ Don’t Panic (yet) · Searching for public unauthenticated APIs · Proof of Concept ∘ Creating a test environment ∘ Remote Code Execution ∘ Obtaining Service Account Tokens ∘ Accessing the API from inside…


An introduction to Prometheus Operator, how to deploy it in Minikube (with helm) and configure alert notifications for Slack.

TL;DR

If you are not patient and wants to skip the better part of the learning, here is your commands/files:

# Minikube setup
$ minikube start --kubernetes-version=v1.13.4 \
--memory=4096 \
--bootstrapper=kubeadm \
--extra-config=scheduler.address=0.0.0.0 \
--extra-config=controller-manager.address=0.0.0.0
# Helm Initialization
$ kubectl create serviceaccount tiller --namespace kube-system
$ kubectl create clusterrolebinding tiller-role-binding --clusterrole cluster-admin --serviceaccount=kube-system:tiller$ helm init --service-account tiller# Installing Prometheus Operator
$ helm install stable/prometheus-operator --version=4.3.6 --name=monitoring --namespace=monitoring --values=values_minikube.yaml

Introduction

An introduction about terms, tools, Prometheus components and the architecture of the monitoring stack.

Prometheus

Prometheus, a Cloud Native Computing Foundation project, is a systems and service monitoring system. It collects…


Image for post
Image for post

When you are working with multiple Kubernetes clusters, it’s easy to mess up with contexts and run kubectl in the wrong cluster. You don’t want to contribute to the kubernetes-failure-stories, I guess.

Beyond that, Kubernetes has restrictions for versioning mismatch between the client (kubectl) and server (kubernetes master), so running commands in the right context does not mean running the right client version.

[…] a client should be skewed no more than one minor version from the master, but may lead the master by up to one minor version.

Fortunately, there are some useful tools out there to help, which…

Eduardo Baitello

Linux lover, DevOps enthusiast, Kubernetes adept and {{insert_another_catchphrase}} — https://eduardobaitello.com.br

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store