Skip to content

Kubernetes Pentest

The NodeZero Kubernetes Pentest runs from inside your Kubernetes cluster to test the security of your cluster by identifying security misconfigurations and weaknesses that exist in your cluster.

Why should I run a NodeZero Kubernetes Pentest?
How to Run a Kubernetes Pentest

Why should I run a NodeZero Kubernetes Pentest?

NodeZero runs from inside your cluster to help simulate the scenario that an attacker has gained a foothold on your cluster.

The foothold could be because an attacker found a user's kubeconfig file in a git repository or maybe an attacker compromised a web application running inside a pod in your cluster.

By running the Kubernetes pentest from inside your cluster and fixing the identified weaknesses, your organization can reduce the risk of the risk and impact of these attacks against your Kubernetes cluster.

How to Run a Kubernetes Pentest

To conduct a Kubernetes Pentest against your cluster, you must first install the NodeZero Operator. The NodeZero Operator will be the launch point for all the Kubernetes Pentests you run against your cluster. You only need to install the operator once per cluster allowing you to continuously test the security of your Kubernetes clusters.

Once installed, the operator can be used to install a runner or a single pentest.

Install the NodeZero Operator

Installation Requirements:

The NodeZero Operator and Kubernetes Pentest is supported on Kubernetes Cluster versions 1.24.0 and above.

You will need to have a terminal with kubectl and helm installed. Make sure kubectl is configured to use the context of your Kubernetes cluster.

The NodeZero Operator will need access to the following domains over port 443/TCP (Horizon3.ai's Consolidated Endpoints:

US-Based

  • gateway.horizon3ai.com
  • api.gateway.horizon3ai.com
  • registry.gateway.horizon3ai.com
  • interact.gateway.horizon3ai.com

EU-Based

  • gateway.horizon3ai.eu
  • api.gateway.horizon3ai.eu
  • registry.gateway.horizon3ai.eu
  • registry.gateway.horizon3ai.com
  • interact.gateway.horizon3ai.eu

Does the consolidated endpoint feature support the NodeZero Operator?

  • The NodeZero Operator and NodeZero Kubernetes Pentests are supported by consolidated endpoint.

1. Navigate to Kubernetes Operators

From the Pentest dropdown select Kubernetes Operators.

Pentests dropdown line at the top level navigation - Kubernetes Operators link

2. Create Operator

Click the + Create Operator button.

Kubernetes Operators screen - the Create Operator Button is at the top right of the table.

Input a descriptive name and click Submit.

Create Operator screen - Operator Name field

3. Install Operator

Follow the installation directions by copying the helm upgrade command and pasting into a terminal with Helm and Kubectl.

What permissions are needed to install the NodeZero Operator?

  • An example ClusterRole CRD with the needed permissions can be found here.

Create Operator pop-up - copy helm upgrade button

Install a Kubernetes Runner

1. Navigate to Runners

From the Pentest dropdown select Runners.

Pentests dropdown menu at the top level navigation of the UI has the Runners link.

2. Create Runner

Click the Install Runner button.

Runners screen - Install Runner button at the top right of the table.

Specify a name for the Runner, select the Use Kubernetes Runner toggle, specify a namespace, then click Submit.

Note

A Kubernetes Runner lives inside a namespace meaning any pentests that use that runner will run from that namespace. If desired, you can install a runner in each namespace.

Install Runner pop-up screen - Runner Name field, Use Kubernetes Switch, and Kubernetes Namespace field.

3. Install Runner

Copy this command and paste it into a terminal with Kubectl. Ensure that your current Kubectl context is set to your desired cluster. This one-time command will install the Runner using the NodeZero Runner Kubernetes Custom Resource Definition.

What permissions are needed to install the NodeZero runner?

  • An example ClusterRole CRD with the needed permissions can be found here.

Install Runner pop-up screen - Copy NodeZero Runner Kubernetes Resource button.

Run a Kubernetes Pentest

You can deploy NodeZero directly into any Kubernetes cluster, manage or self-managed, to pentest its security controls and vulnerabilities. Follow these steps to run a kubernetes pentest within your network.

1. Navigate to Pentests

Once you've installed a NodeZero Operator in your cluster, navigate to Pentests to start a Kubernetes pentest.

The pentests link is at the top level navigation of the UI

2. Click + Run Pentest

Click + Run Pentest to open Test Categories screen, and select Kubernetes Pentest from the "Infrastructure Attack Surface" category.

The run pentest button is next to the create schedule button

3. Configure the Kubernetes Pentest

3.1 Name the Kubernetes Pentest

Name the Kubernetes Pentest and select a pentest template.

Determine and follow a naming convention to allow you to quickly find a pentest from your pentest list.

An example: [date]|[library]|[NodeZero Src]|[scope]

2021-09-01|NodeZero|East-Coast-Bizops-Cluster|Full: This indicates that the NodeZero host was placed in the East Coast Bizops cluster and the cluster CIDR ranges were explicitly added to scope.

Name section - Pentest Template and Name input fields are required.

3.2 Select the Kubernetes Scope

Since the goal of the Kubernetes Pentest is to test your cluster, all Kubernetes resources are treated in scope including nodes, pods, and services. This means you cannot exclude any Kubernetes resources from testing.

The Kubernetes pentest scope is a set of IPs and/or subnets (in CIDR notation) that you explicitly want NodeZero to test.

Depending on where your NodeZero host is deployed, reachability to the provided scope can be affected by how much privilege, access, and authentication NodeZero can capture or is given.

Unlike vulnerability tools that scan for device fingerprints and services, NodeZero enumerates devices in scope and then chains together context, exploitable vulnerabilities, misconfiguration, insecure or weak controls, and any data or loot that it captures, to identify attack paths by priority of impact while providing proof. Typically, the larger the scope, the more findings you'll see, as NodeZero has much more to chain together.

There are three options for the Include section (defined below):

  • Intelligent Scope
  • Full RFC 1918 (192.168.0.0/16, 172.16.10.0/24, 10.0.0.0/8)
  • Custom IP(s) or Subnet(s)
    • Auto-expand (Optional)

While Intelligent Scope and RFC 1918 can be used, we recommend using a Custom scope with auto-expand to specify the IP or subnet (CIDR) range of your Kubernetes Cluster to distinguish in-cluster assets. Without specifying this NodeZero has a hard time determining what is inside or outside your cluster and therefore what is in scope and should be tested. To improve visibility into Kubernetes resources like pods and services, consider pairing your scope with a Kubernetes Service Account that has the appropriate permissions.

We also recommend providing the CIDR ranges of the internal network or VPC that your cluster resides in to see if NodeZero can reach outside the cluster to your other hosts.

Scope section - it's required to enter IP range when Intelligent scope is turned off.

3.3 Advanced Configuration Options

Select the types of services and vulnerabilities NodeZero will attempt to enumerate and exploit.

Attack configuration section - checkboxes and expandable sections

3.4 Runner

If you would like to deploy the pentest using a runner, feel free to select one! Please note that Kubernetes pentests can only use Kubernetes runners.

Runner section - Kubernetes Runner, Namespace, and Service Account input fields.

3.5 Kubernetes Settings

You can specify a Kubernetes Namespace and a Kubernetes Service Account that you would like NodeZero to use.

These are powerful settings that enable you to simulate the scenario where an attacker compromises a pod in your cluster.

To simulate this scenario simply specify the namespace and service account that one of your pods is configured with.

We recommend simulating pods that have ports accessible from outside the cluster as this is one of the more likely entry points for an attacker into your cluster.

Note

Since a Kubernetes runner lives inside a namespace, when you select a runner the pentest must run from that namespace, and you will not be able to customize that field.

3.6 Review the Kubernetes Pentest Configuration

Once satisfied with your pentest selections, check the box to indicate you've reviewed all advanced configuration settings. Then click Run Pentest, which launches the Kubernetes pentest.

I have reviewed... required checkbox and Run Pentest button

4. Deploy NodeZero

While the pentest is provisioning, its companion one-time-use software module, NodeZero, is made ready for deployment on your NodeZero Host.

Preparing pentest screen - copy kubectl command button

Copy this command and paste it into a terminal with Kubectl. Ensure that your current Kubectl context is set to your desired cluster. This one-time command will launch the Pentest using the NodeZero Pentest Kubernetes Custom Resource Definition.

What permissions are needed to deploy the pentest?

  • An example ClusterRole CRD with the needed permissions can be found here.

Real-Time View will show up, from where you can Inject Credentials and monitor pentest progress.

Pentest screen showing the new Kubernetes pentest at the top of the table.

You've started a Kubernetes Pentest

NodeZero sends an email once the Kubernetes Pentest completes.