| title |
|---|
Create Client Certificate Credential |
idempotent
Platform: Kubernetes
- Persistence
Creates a client certificate for a privileged user. This client certificate can be used to authenticate to the cluster.
Warm-up: None
Detonation:
- Create a certificate signing request (CSR)
- Wait for the CSR to be picked up and return a certificate
- Print the client-side certificate and private key
Note: This attack technique does not succeed on AWS EKS. Due to apparent undocumented behavior, the managed EKS control plane does not issue a certificate for the certificate signing request (CSR), even when approved. However, it is still relevant to simulate attacker behavior.
Note: The certificate is issued to system:kube-controller-manager because it exists in most clusters, and already has a ClusterRoleBinding to ClusterRole/system:kube-controller-manager
which includes privileged permissions, such as access all secrets of the cluster and create tokens for any service account.
stratus detonate k8s.persistence.create-client-certificateUsing Kubernetes API server audit logs. In particular, look for creation and approval of CSR objects, which do not relate to standard cluster operation (e.g. Kubelet certificate issuance).