Kubernetes: Master Post

我准备了几篇关于Kubernetes的文章，并将本文作为主索引文章来提供该主题的参考资料。如果我遗漏了任何博客文章或有用的资源，请在这里或Twitter上联系我。

如果你对Kubernetes感兴趣，应该观看以下演讲：

通过实例进行Kubernetes集群的攻击与加固 [I] - Brad Geesaman
https://www.youtube.com/watch?v=vTgQLzeBfRU
https://github.com/bgeesaman/
https://github.com/bgeesaman/hhkbe [上述演讲的演示代码]
https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf [幻灯片]

完美风暴：掌控Kubernetes - Ian Coldwater
https://www.youtube.com/watch?v=1k-GIDXgfLw

黑客的Kubernetes和云指南 - Rory McCune
https://www.youtube.com/watch?v=dxKpCO2dAy8

在海盗出没的水域中航行：Kubernetes中的实际攻击与防御
https://www.youtube.com/watch?v=ohTq0no0ZVU

其他人的博客文章：

https://techbeacon.com/hackers-guide-kubernetes-security
https://elweb.co/the-security-footgun-in-etcd/
https://www.4armed.com/blog/hacking-kubelet-on-gke/
https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/
https://www.4armed.com/blog/hacking-digitalocean-kubernetes/
https://github.com/freach/kubernetes-security-best-practice
https://neuvector.com/container-security/kubernetes-security-guide/
https://medium.com/@pczarkowski/the-kubernetes-api-call-is-coming-from-inside-the-cluster-f1a115bd2066
https://blog.intothesymmetry.com/2018/12/persistent-xsrf-on-kubernetes-dashboard.html
https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/
https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/
https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/
https://www.cyberark.com/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions/
https://labs.mwrinfosecurity.com/blog/attacking-kubernetes-through-kubelet/
https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

审计工具

https://github.com/Shopify/kubeaudit
https://github.com/aquasecurity/kube-bench
https://github.com/aquasecurity/kube-hunter

CVE-2018-1002105 资源

https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/gravitational/cve-2018-1002105
https://github.com/evict/poc_CVE-2018-1002105

CG 文章：

开放 Etcd：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-open-etcd.html
使用 kube-hunter 的 Etcd：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunterpy-etcd.html
cAdvisor：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-cadvisor.html

Kubernetes 端口：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html
Kubernetes 仪表板：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html
Kublet 10255：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html
Kublet 10250
     - 容器日志：http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html
     - 获取 shell 方法1：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html
     - 获取 shell 方法2：https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html

云元数据URL和Kubernetes

• 我会在发布后更新