Kubernetes Namespaces bypass

Scenario Information

By default, Kubernetes uses a flat networking schema, which means any pod/service within the cluster can talk to other. The namespaces within the cluster don't have any network security restrictions by default. Anyone in the namespace can talk to other namespaces. We heard that Kubernetes-Goat loves cache. Let's see if we gain access to other namespaces

  • To get started with the scenario, let's run our awesome hacker-container in the default namespace
kubectl run -it hacker-container --image=madhuakula/hacker-container -- sh

Scenario 11 Welcome

Scenario Solution

  • Get the cluster IP range information
ip route

Scenario 11 recon

  • Based on the analysis/understanding about the system. We can run the internal scan for the entire cluster range using zamp
zmap -p 6379 -o results.csv

Scenario 11 zmap Scenario 11 output ips

There is also another way to access the services/pods in the Kubernetes. For example servicename.namespace

  • Let's access the redis using the reds-cli client
redis-cli -h

Scenario 11 redis access

There are many other services and resources exposed within the cluster like ElasticSearch, Mongo, etc. So if your recon skill is good then you got a gold mine here.