I would like to test a security vulnerability (attack scenario) in K8s cluster. As a privileged K8s user, I want to mount ~/.kube directory inside a pod in order to change/read K8s configurations and CA info. Or maybe any root directory on Master-node. The pod runs with no error, and I can tell that the directory has already been mounted to the pod, but I cannot read the mounted directory.
Here is the deployment file:
apiVersion: v1
kind: Pod
metadata:
name: attack-pod
namespace: target-ns
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1001
fsGroup: 0
fsGroupChangePolicy: "OnRootMismatch"
tolerations:
- key: "is_control"
operator: "Equal"
value: "true"
effect: "NoExecute"
nodeName: master-node-1
imagePullSecrets:
- name: regcred
containers:
- name: attack-container
image: bash
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- mountPath: /home/admin-user/.kube
name: mount-root-into-mnt
securityContext:
allowPrivilegeEscalation: true
volumes:
- name: mount-root-into-mnt
hostPath:
path: /home/admin-user/.kube
serviceAccountName: service-account
But when I exec into the pod kubectl -n target-ns -it attack-pod -- bash and try to list the files inside /home/admin-user/.kube I get this error:
ls: can't open '.': Permission denied!
Although, the directory was mounted successfully, and I added the correct permissions in securityContext.
