Kubernetes Enumeration

Recon

Enumerating Kubernetes clusters reveals misconfigurations, exposed services, and potential attack paths. Start from inside a compromised pod or externally.

Internal Enumeration (From Pod)

k8s-internal-enum.sh

bash

# Environment discovery
env | grep -i kube
cat /etc/resolv.conf  # kube-dns

# API server location
echo $KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT

# Check what we can access with SA token
kubectl auth can-i --list
kubectl auth can-i create pods
kubectl auth can-i get secrets

# List resources we can access
kubectl get pods -A
kubectl get secrets -A
kubectl get services -A
kubectl get nodes

# Get cluster info
kubectl cluster-info
kubectl get namespaces

# Look for interesting configmaps
kubectl get configmaps -A
kubectl get configmap <name> -o yaml

External Enumeration

k8s-external-enum.sh

bash

# Scan for K8s services
nmap -sV -p 443,6443,8443,10250,10255,2379,30000-32767 target

# Check anonymous kubelet access
curl -k https://target:10250/pods

# Check etcd
etcdctl --endpoints=http://target:2379 get / --prefix --keys-only

# API server anonymous access
curl -k https://target:6443/api/v1/pods

# kube-hunter - Automated enumeration
kube-hunter --remote target.com

# kubeaudit - Security audit
kubeaudit all

Kubernetes Enumeration

Internal Enumeration (From Pod)

External Enumeration

Related Topics

K8s Architecture

K8s Attacks