A Guide to Kubernetes Hacking — Part 1: Introduction to Kubernetes
In this series of articles I am going to talk about the basics of Kubernetes hacking and will share a practical approach to it.
This is an introductory article about the basics of Kubernetes. If you know what Kubernetes is, its architecture and configuration, you can skip this part.
What is Kubernetes?
Kubernetes is an open source container orchestration system. It is used for automating deployment, scaling, and management of containerized applications.
Why is Kubernetes so popular?
- Kubernetes is highly scalable. Workloads can be scaled up and down to match any requirement.
- Kubernetes is highly portable, which means it works effortlessly in all kinds of infrastructures e.g. on-premises, hybrid, or public cloud infrastructure.
- Kubernetes is flexible, and it can manage applications no matter how complex they are.
Kubernetes architecture:
Before we begin our security tests, we must know certain things about the architecture of Kubernetes. You may have heard the term ‘Cluster’ related to Kubernetes. The components of the Cluster architecture are the following:
Pod:
A pod is the smallest deployable unit that Kubernetes can create and manage. There can be multiple containers in a pod (like peas!) sharing storage and network resources and have a specification on how to run those containers.
Nodes:
Kubernetes workloads are run in the containers placed in pods and pods run on nodes. Nodes can be physical or virtual machines. To put simply, if applications run in containers placed in a pod, the services required for running those apps are in the nodes.
Kubernetes cluster is a set of nodes.
There are two types of nodes: the control plane and the worker nodes.
The control plane:
The control plane is the master node that controls the worker nodes and pods in a cluster. It has several components:
kube-apiserver is the front end of the control plane. It provides the API interface used to manage, create, and configure Kubernetes clusters. The users, external components, and parts of your cluster all communicate with each other using the API that the kube-apiserver exposes.
Etcd is the key/value store that stores the cluster data or the current state of the cluster.
kube-scheduler is a process that assigns pods to nodes. It decides which pods will be assigned to which nodes according to constraints and available resources.
Kube-controller-manager is a daemon that manages the controllers. A controller watches the shared state of the cluster through the apiserver and makes changes attempting to move the current state towards the desired state. Examples of controllers: replication controller, endpoints controller, namespace controller, and serviceaccounts controller.
Cloud-controller-manager is a Kubernetes control plane component that lets you link your cluster into your cloud provider’s API, and separates out the components that interact with that cloud platform from components that only interact with your cluster.
The worker nodes:
Worker nodes maintain running pods. The main components of worker nodes are listed below:
Kubelet runs on each node and according to the PodSpecs (a YAML or JSON object that describes a pod), it ensures that the containers are running and healthy in the pods.
Kube-proxy maintains network communication in the cluster. It creates networking rules that direct traffic to pods.
Container runtime needs to be installed in each node to get the containers running in the pods. Example: Docker.
The architecture diagram is shown below:
Some important concepts to know about Kubernetes:
Namespaces: In Kubernetes, namespaces isolate the groups of resources in a single cluster. Names of resources need to be unique within a namespace, but not across namespaces.
ReplicaSet: A ReplicaSet maintains a stable set of replica pods running during any given time to ensure availability.
Deployment: A deployment defines a specific desired state of the cluster. According to the specification of deployment, the deployment controller changes the state of the cluster to the desired state.
StatefulSets: Stateful applications store user data so that it can return to a particular state. For stateless applications, deployments can be used to define and manage replica pods. Pods can be created with random names and random pods can be deleted when required.
For stateful applications, pods cannot be randomly created or deleted and each pod must have a unique identifier. StatefulSets manage and define these pods. Pods can be created from the same specification but cannot be used interchangeably. StatefulSet has one pod with read/write access to the database, known as the master pod and the other pods with only read access to the database are known as slave pods. Slave pods can have their own replications on the storage and are continuously synchronized to keep up with the changes made by the master node.
Services: Services provide a single static IP address to a pod and its replicas, so that the pods can be connected over a network within the cluster as well as to external applications. The service is placed in front of the pods and exposes it via an access point. The connection requests are load-balanced via replica pods.
Ingress: Ingress is an API object that manages external access to the services in a cluster. It acts as a single access point that routes traffic to all the services in a cluster.
How to configure Kubernetes?
To configure Kubernetes setup, two configuration files are required: one for deployment and one for service. These files are generally written in YAML but sometimes JSON format is also used.
The required fields in the config files are the following:
apiVersion: The version of Kubernetes API that is going to be used.
kind: The kind of object that is going to be created.
metadata: The data that is going to uniquely identify the created object.
spec: The desired state of the object.
Here’s an example of service config file:
This file will create a new service named “example-nginx-service” and it will look for apps with the nginx label and will target port 80. The “targetPort” is the port the service will send requests to and the “port” is the port number where the service is exposed.
Here’s an example deployment file:
In the outer ‘spec’ field, we tell Kubernetes we want 3 replicas (identical pods) in this ReplicaSet. The ‘selector’ field has a ‘matchLabels’, which matches what we defined in the ‘selector’ field for the service YAML.
These config files specify the desired state of Kubernetes components. Kubernetes constantly checks the Etcd for current state and compares it to the desired state in these config files. If the desired state does not match, it immediately starts making the necessary changes.
Kubectl:
To get the processes running from the configuration files, kubectl is used. It is a command line tool for communicating with a Kubernetes cluster’s control plane, using the Kubernetes API.
After the configuration files are defined you can apply them using kubectl with the following command:
kubectl apply -f example-deployment.yaml
Once the configurations are applied, you can check which pods are running using ‘get’ option.
kubectl get pods -n example-namespace
If you want more information on a particular pod, you can use the ‘describe’ option:
kubectl describe pod example-pod -n example-namespace
If you need to check the logs of a pod, use the following command:
kubectl logs example-pod -n example-namespace
If you want to interact with the container via accessing a shell and execute commands, the ‘exec’ command helps:
kubectl exec -it example-pod -n example-namespace — — sh
“-it” stands for interactive mode and “ — — sh” stands for shell.
The “port-forward” command allows you to create a secure tunnel between your local machine and a running pod in your cluster. For example, a web application running across pods exposed via web application service, if the target port is 8080 and our local port is 8090, then the following command will make the web application accessible at http://localhost:8090.
kubectl port-forward service/example-service 8090:8080
There are several other useful commands of kubectl. You can check the details in this link.
In the upcoming posts I will talk about Kubernetes security testing and how to secure Kubernetes.
The following room on TryHackMe has a nice hands-on exercise on Kubernetes. You can check it out:
Thank you for reading! Hope this helped.
